A Complete Integration – Azure AD B2C & Azure AD (Graph API, Logic Apps)

Login with Facebook, Twitter, LinkedIn or Azure AD? ” A guide outlining how to integrate Azure AD with B2C, using Logic Apps REST API & the Microsoft Graph API to retrieve user attributes. 

Disclaimer: Azure Logic Applications do not do well under heavy load. See the limits here from Microsoft before you implement this in a production environment. Generally speaking, the activity of the Logic App will be better performing on an App Service Plan or Azure Function. 

Azure AD B2C is an amazing offering from Microsoft that allows SaaS providers to offload their identity service to the cloud. Traditionally used for scenarios where integration with a social identity provider is desired, B2C whilst using the Identity Experience Framework (“custom policies / advanced policies”) can support the integration of any OAuth/OpenID Connect or SAML 2.0 Identity Provider, including Azure AD.

Why Azure AD B2C?

The business use cases for this are solid. With more than 8 million tenants in Azure AD, a company could enable “Sign in with Azure AD” and support SSO with arguably most enterprise organizations.

Integrating Azure AD & B2C has been documented by Microsoft, but there are some important gaps.

  1. B2C will only retrieve the ‘id_token’ from Azure AD, no ‘access_token’
  2. The ‘id_token’  will only contain the standard set of claim types listed here. This means our application will not be aware of claims such as title, mobilePhone, email address, or any custom attribute that we wish to deliver to the relying party (application).

Microsoft Graph & Azure Logic Apps

The solution to these gaps is proving a REST API that B2C will interact with to retrieve the user attributes.

General summary –

  1. User clicks “Login” to application
  2. B2C sends user to Azure AD Sign in page
  3. User Signs in
  4. Azure AD sends id_token to B2C (with objectid of user)
  5. B2C sends the ObjectID to the Logic App
  6. Logic app looks up user via the Graph API, sends rest of attributes to B2C
  7. B2C sends entire claim to relying party, either via SAML or JWT (OpenIDConnect)

Getting Started

Before getting started, you should have a complete B2C tenant, a POC application, and sign in with Azure AD already configured. A guide to this is provided by Microsoft here.

Microsoft Graph Application Registration & Authorization

In order to query the Graph API, we need to register a Microsoft Graph application. This is done via https://apps.dev.microsoft.com.

  1. Create an app
  2. Record your client_secret (application id)
  3. Generate and record your application secret
  4. Add Platforms > Web > Configure “http://localhost” as the redirect URL.
  5. Add Application Permission “User.Read.All”
  6. Save

Now that the app is registered, you must authorize it to query against your directory. B2C will only be sending the Object ID and tenant to the application, no access_token, so the application needs to have pre-authorization.

  1. Construct a request URL

https://login.microsoftonline.com/<tenant name>/adminconsent?client_id=<application_id>&redirect_uri=http://localhost/#

Tenant name = The FQDN of your Azur AD tenant (contoso.onmicrosoft.com)

Application_id = The complete Application ID from the apps.dev.microsoft.com site

  1. Browser to this URL in your browser
  2. Sign in with an adminstrative account of the Azure AD tenant. 
  3. Approve the application
  4. Acknowledge – You’ll be redirected to http://localhost. If the request was successful, you should see a URL  like http://localhost/?admin_consent=True&tenant=6660b467-add3-4d9e-8ada-48b1721959f3

Once you have the app authorized, the application ID and application secret, click the “Deploy to Azure” button below which will configure the Logic App immediately ready for use in your tenant.

Once the app has deployed, get the request URL for the application from within the Azure Portal. This will later be used in your B2C policy.

Integrate Logic App with B2C

Now that the Logic App is deployed, we need to add the Claim Provider and add register the Claim Provider as part of the User Journey. Also, The logic app is developed with multi-tenancy in mind, meaning we can accept requests that come in from any Azure AD tenant. However, the Logic App must know the tenant that is being used so we configure a DefaultValue claim for the Azure AD technical profile to be sent in the claim to the Logic App.

  1. Open your TrustFrameworkBase.xml

Find the tag <ClaimsSchema>

2. Add the following code snip

  <ClaimType Id="tenant">
        <DisplayName>Tenant Hint</DisplayName>
        <UserHelpText />

3. Open your TrustFrameworkExtensions.xml file

Locate the TechnicalProfile for your Azure AD configuration. Add the following to your list of <OutputClaims>

<OutputClaim ClaimTypeReferenceId="tenant" DefaultValue="tenant-name.OnMicrosoft.com" />

Replace tenant-name  with the FQDN of your tenant.

4. Register the technical profile of the Logic App

Immediately after the ending <\TechnicalProfile> of the Azure AD configuration, add the following snipit.

note: You must format your URL to be XML compliant. After each ‘&’ symbol you must add ‘amp;’

Example –

<TechnicalProfile Id="AzureFunctions-AzureADGraphLookup">
          <DisplayName>Query Graph API for rest of user attributes</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=, Culture=neutral, PublicKeyToken=null" />
            <Item Key="ServiceUrl">LOGIC APP POST URL HERE</Item>
            <Item Key="AuthenticationType">None</Item>
            <Item Key="SendClaimsIn">Body</Item>
            <Item Key="ClaimsFormat">Body</Item>
            <InputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
            <InputClaim ClaimTypeReferenceId="tenant" PartnerClaimType="tenant" />
            <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="mail" />
          <UseTechnicalProfileForSessionManagement ReferenceId="SSOSession-Noop" />

5. Add the Logic App to the User Journey

Locate your default UserJourney. This may be in your TrustFrameworkExtensions or Base file. Locate where your orchestration step is being executed to call against Azure AD. Immediately after, add the following code. 

Be certain to change the OrchestrationStep Order number.

 <OrchestrationStep Order="6" Type="ClaimsExchange"> <ClaimsExchanges> <ClaimsExchange Id="AzureFunctions-AzureADGraphLookupExchange" TechnicalProfileReferenceId="AzureFunctions-AzureADGraphLookup" /> </ClaimsExchanges> </OrchestrationStep>

6. Save & Upload your policies. Viola! 

Concluding notes

  1. Security – Integrating the Logic App, we rely on the SAS (Shared Access Signature) of the Logic App in the URL as a method of authentication. This is not the most secure approach, as anyone with the URL could query our Graph API. It is recommended if this is implemented in production, that you use Azure API Management as a wrapper around the Logic App to provide authentication and optionally caching.
  2. This example only outlines retrieving the email of the user from the Graph API. The complete list of attributes are located here. https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_get. Make certain to add the claim to your schema before configuring an output claim of the Logic App.
0 0 vote
Article Rating
Inline Feedbacks
View all comments