Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Allow all domains when adding a user to Azure B2C using the Graph API

I am trying to add a user with the email [email protected] to my B2C directory via the Graph API (C#). I get this as a response:

The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.

This system needs to allow for users of any email domain to sign in. The users need to log in to a website, not have access to the Azure Portal.

Is there a way to accomplish this without manually adding every domain?

Code for adding user via Graph API:

var confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithTenantId(tenantId)
    .WithClientSecret(clientSecret)
    .Build();

var authProvider = new ClientCredentialProvider(confidentialClientApplication);
            
var graphClient = new GraphServiceClient(authProvider);

var user = new User
{
    AccountEnabled = true, 
    DisplayName = emailAddress,
    MailNickname = emailAddress.Split('@').FirstOrDefault(),
    UserPrincipalName = emailAddress,
    PasswordProfile = new PasswordProfile
    {
        ForceChangePasswordNextSignIn = true,
        Password = tempPassword
    }
};
like image 423
rgahan Avatar asked Nov 16 '20 15:11

rgahan


People also ask

How do I grant API permissions in Azure?

Select Azure Active Directory > App registrations, and then select your client application. Select API permissions > Add a permission > Microsoft Graph > Application permissions.

Does Azure AD support B2C user migration using Microsoft Graph API?

This functionality isn't exposed through the Microsoft Graph API, but through the Azure REST API. For more information, see B2C Tenants - Create. Watch this video to learn about Azure AD B2C user migration using Microsoft Graph API.

How can I manage resources in my Azure AD B2C Directory?

Thank you. Microsoft Graph allows you to manage resources in your Azure AD B2C directory. The following Microsoft Graph API operations are supported for the management of Azure AD B2C resources, including users, identity providers, user flows, custom policies, and policy keys.

How do I migrate my Azure AD B2C application to custom domain?

If you have multiple applications, migrate them all to the custom domain because the browser stores the Azure AD B2C session under the domain name currently being used. Create a user flow so users can sign up and sign in to your application. Register a web application. Step 1. Add a custom domain name to your Azure AD B2C tenant

Can I create B2C users through the Microsoft Graph?

Creating B2C users through the Microsoft Graph – Good Workaround! The Microsoft Graph finally should have all functionality that previously only the Azure AD Graph had, such as the ability to create and manage B2C user accounts.


2 Answers

If you're trying to create local B2C (not AAD) accounts try setting the identities property in your request but not the upn. This last should be auto-generated. Also password expirations must be disabled, and force change password at next sign-in must also be disabled.

like image 175
Alfredo R Avatar answered Oct 26 '22 15:10

Alfredo R


I had to add following packages:

<PackageReference Include="Microsoft.Graph" Version="4.0.0-preview.7" />
<PackageReference Include="Microsoft.Graph.Auth" Version="1.0.0-preview.7" />

Then:

       var confidentialClientApplication = ConfidentialClientApplicationBuilder
            .Create(Settings.ClientId)
            .WithTenantId(Settings.Tenant)
            .WithClientSecret(Settings.ClientSecret)
            .Build();
        
        var authProvider = new ClientCredentialProvider(confidentialClientApplication);

        var graphClient = new GraphServiceClient(authProvider);

        var user = new User
        {
            AccountEnabled = true,
            GivenName = "Name",
            Surname = "Surname",
            DisplayName = "Name Surname",
            PasswordProfile = new PasswordProfile
            {
                ForceChangePasswordNextSignIn = false,
                Password = "pass.123",
            },
            PasswordPolicies = "DisablePasswordExpiration",
            Identities = new List<ObjectIdentity>
            {
                new ObjectIdentity()
                {
                    SignInType = "emailAddress",
                    Issuer = Settings.Tenant,
                    IssuerAssignedId = "[email protected]"
                }
            }
        };

        await graphClient.Users.Request().AddAsync(user);

Make sure to add permission to create users in Azure portal.

like image 26
0lukasz0 Avatar answered Oct 26 '22 14:10

0lukasz0