How to interact with Azure AD B2C custom User Attributes via Microsoft Graph PowerShell SDK?
I have added a custom User Attribute named Company Name via:
Azure AD B2C > User attributes
so that this information can be returned in the identity token after successful sign in.
I want to update these values for each user in the Azure AD B2C tenant.
As I understand it:
I cannot update these values via Azure Portal
The only way to update these values is via Microsoft Graph, specifically these methods:
I don't want to have to create an application just to be able to perform this basic administrative task.
So I am looking at:
Microsoft Graph PowerShell SDK
I installed the Microsoft Graph PowerShell SDK in PowerShell 7.
I was prompted to sign in via the browser after running this command:
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
At this point I was confused which credentials to login with.
I logged in using my 'home tenant' Azure AD credentials.
(i.e the admin credentials of the Azure AD tenant from which I created the Azure AD B2C tenant - which then automatically created a guest account in the B2C tenant with the user principal name of info_my-home-tenant.onmicrosoft.com#EXT#@my-dev-tenant.onmicrosoft.com).
I made the decision because I don't think I have any Azure AD B2C credentials.
(to access Azure AD B2C when I am logged into Azure Portal with my Azure AD credentials, I just click on 'switch directory').
I then ran:
Get-MgUser
And it, predictably, returned the users from my home Azure AD tenant, not the Azure AD B2C tenant.
So my question is:
In PowerShell 7, with the Microsoft Graph PowerShell SDK installed, how do I sign in so that I can interact with the Azure AD B2C tenant users, rather than my 'home' directory tenant users.
EDIT:
I started trying to follow the process described here:
Use app-only authentication with the Microsoft Graph PowerShell SDK
The first step is:
You'll need an X.509 certificate installed in your user's trusted store on the machine where you'll run the script
I created an Application Registration, however in the Certificates & secrets section it says:
Please note certificates cannot be used to authenticate against Azure AD B2C.
I agree this is tricky.
Below are the steps you can use to successfully sign in to Azure AD B2C using Microsoft Graph SDK, and update a user's custom attribute value.
This post is divided into three sections:
- Solution Summary (to get an idea of the scope before diving into the details)
- Variables (which lists the variable values required and where to find them)
- Commands (which lists the commands required)
This post assumes we have a custom attribute named Company Name defined in Azure AD B2C:
PowerShell Microsoft Graph SDK Reference
To orientate yourself, here is the link to the Microsoft.Graph.Users section:
Summary
The solution requires the definition of 4 variables and 5 commands that will reference them:
Variables:
azure_ad_b2c_tenant_idextensions_app_idcustom_attribute_propertyuser_id
Commands:
Make a connection:
Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"
Sanity check - list all users:
Get-MgUser | Format-List ID, DisplayName, UserPrincipalName
Sanity check - view existing value of custom attribute for single user:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
Update a user's custom attribute:
$params = @{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params
Verify the update:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
Variables
Below are the variables that will be referenced and where to find them.
You might want to grab them at the start of the process so you can easily reference them later.
azure_ad_b2c_tenant_id
Azure AD B2C directory>Azure AD>Tenant ID
extensions_app_id
Azure AD B2C>App registrations>[ select 'All applications' ]- Click on the item named:
b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.- Copy the
Application (client) IDvalue - Remove the dashes from this value when using it in PowerShell
custom_attribute_property
This is a string of concatenated values with this syntax:
extension_<your-extensions-app-application-id>_<your-custom-attribute>
For example: extension_lalala1234etc_CompanyName
user_id
Azure AD B2C>Users>[ click on desired user ]>Object ID
Commands
01. Connect to your Azure AD B2C tenant
Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"
This will prompt you to login with your Azure AD home tenant credentials.
02. Sanity check - list all users to confirm you are in the right tenant
Get-MgUser
// you can make the results prettier by using Format-List and defining the columns you want displayed
Get-MgUser | Format-List ID, DisplayName, UserPrincipalName
03. Sanity check - see what the value of the custom attribute currently is for all users and a single user
// all users - these do not work:
Get-MgUser | Format-List ID, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - these do not work:
Get-MgUser -UserId "<user-id>" | Format-List ID, DisplayName, UserPrincipalName, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - this works:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
04. Update a single user's custom attribute
$params = @{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params
05. Verify the update was made
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
The decoded idToken that is returned after sign in will look like this:
Or, if signing in via an identity provider (in this case the home AD tenant), the decoded idToken will look like this:
- Always getting empty response while using the graph search API for sharepoint document
- Trouble/How to get the Document Library of my SharePoint Site using GRAPH API
- An Outlook event organizer's email is not always the user principal name
- Using the Microsoft Graph API to load files from Sharepoint into Databricks
- obtain item-id for microsoft graph api
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- AADSTS70000 Error When Requesting for Access Token
- Connect to OneDrive using Microsoft Graph and C# not working
- MS Graph - List events (read) - Recurring events
- Add Microsoft account login in Laravel application
- Microsoft Graph API - Get profile picture with defined size
- I need to add co-organizer in teams meeting through graph api
- How to apply filter on sent items in Graph API
- How create a subscription for teams chat messages?
- Microsoft Graph API and SharePoint files permissions
- Need admin approval unverified needs permission to access resources in your organisation that only an admin can grant
- Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation
- Graph Pagination in Logic Apps
- How to create dynamic groups in AzureAD/EntraID from a csv import?
- Identifying DSN (Delivery Status Notifications) or NDR (Non Delivery Reports) and the failed recipients in Microsoft Graph / Outlook REST API
- Creating a user in Azure AD B2C through Microsoft SSO
- How can I log the request headers of Invoke-MgRestMethod to inspect the Microsoft.Graph access token?
- How to Deserialize a JSON Array into a List of Objects Using IParseNode in C#?
- Planner create API with Group Id is not working in Microsoft Graph
- Microsoft Bookings Graph APi Invalid filter clause
- Error OrganizationFromTenantGuidNotFound and 401 Unauthorized when Sending Email via Microsoft Graph API in React App
- Using Graph to create a calendar, no errors but nothing happens?
- Getting the embed URL of a Microsoft PowerPoint programmatically
- listing all available sites with Delegated permissions
- Graph API Open Extension on Calendar Events causing an error