JasSuri
commented
4 years ago Thanks, we will change this now MS Graph API is supported for B2C accounts.
Open mmushatt opened 4 years ago
JasSuri
commented
4 years ago Thanks, we will change this now MS Graph API is supported for B2C accounts.
In the "Impersonation Flow for Azure AD B2C - https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation " procedure, instead of having the users populate the "extension_GUID_can_impersonate" attribute using the Azure Graph API Explorer ( https://graphexplorer.azurewebsites.net/ ), you can have them utilize the Microsoft Graph API Explorer ( https://developer.microsoft.com/en-us/graph/graph-explorer) . Listed below is what they can do.
I am assuming you created the "extension_GUID_can_impersonate" attribute using either the Azure B2C Portal Blade ( Define custom attributes in Azure Active Directory B2C - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr ) or the Azure Graph API per the GitHub ( Extend Azure Active Directory Schema using Graph API - https://blogs.msdn.microsoft.com/aadgraphteam/2014/03/05/extend-azure-active-directory-schema-using-graph-api-preview/ )
Go to the Microsoft Graph Explorer ( https://developer.microsoft.com/en-us/graph/graph-explorer ) and log into the App using an account that can consent and modify the user's accounts ( example: Global Admin )
Verify that the "extension_GUID_can_impersonate" attribute does exist using the following request.
GET https://graph.microsoft.com/beta/applications/{Application_Object_ID}/extensionProperties
Display the user you wish to modify to verify that the extension attribute is not populated for them
GET https://graph.microsoft.com/beta/users/{GUID_or_UPN}
Modify the user object to populate the extension attribute
PATCH https://graph.microsoft.com/beta/users/{GUID_or_UPN} { "extension_GUID_can_impersonate": '1' }
NOTE: If successful, you should see an HTTP 204 return
Verify that the extension attribute now exist for the user and is populated:
GET https://graph.microsoft.com/beta/users/{GUID_or_UPN}
After doing this, the Impersonation Flow for Azure AD B2C policy should work as desired