Share via

How to add a custom role to be associated with the token of a B2C entra id

Bharath Hari 5 Reputation points
2024-10-28T15:25:12.8+00:00

Hi,

We are building a B2C application where user accounts are created using Entra Id. When a B2C entra id is created I want to be able to associate a role (admin, write, read) to the token generated when the user tries to login. I have been unable to find any documentation that supports this use case and would appreciate any help in solving this use case.

Thanks
Bharath

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,098 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 26,976 Reputation points Microsoft Employee
    2024-11-13T00:39:20.4233333+00:00

    @Bharath Hari , please follow these steps and let me know if they help:

    1. Declare the app roles for your application in the app registration process in Azure portal. You can define app roles on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a roles claim for each role that the user or service principal has been granted. This can be used to implement claim-based authorization.
    2. Assign the app roles to the users or groups in the Enterprise applications pane. These assigned app roles are included with any token that's issued for your application, either access tokens when your app is the API being called by an app or ID tokens when your app is signing in a user.
    3. To receive the app roles in the token, you can use the Azure AD B2C custom policies feature. You can define a custom policy that includes the app roles in the token.

    Here is an example of how to add app roles to an application registered in Azure AD B2C:

    1. In the Azure portal, go to the app registration for your B2C application.
    2. Select Manifest and add the following JSON to the appRoles property:
    "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Admin",
      "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
      "isEnabled": true,
      "description": "Admins can manage the application",
      "value": "admin"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Write",
      "id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
      "isEnabled": true,
      "description": "Users can write data",
      "value": "write"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
        "displayName": "Read",
      "id": "fcacce5d-5d5d-4f3a-9a5c-1e32b6b1d5bc",
      "isEnabled": true,
      "description": "Users can read data",
      "value": "read"
    }
  ]

    In your custom policy, you can add the following technical profile to include the app roles in the token:

    <TechnicalProfile Id="JwtIssuer">
  <Metadata>
    <Item Key="client_id">{service:te}</Item>
    <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
    <Item Key="SendTokenResponseBodyWithJsonFormat">true</Item>
    <Item Key="token_lifetime_secs">3600</Item>
    <Item Key="id_token_lifetime_secs">900</Item>
    <Item Key="AccessTokenResponseFormat">jwt</Item>
    <Item Key="ClaimsEndpoint">https://graph.windows.net/myorganization/users/{OID}/appRoleAssignments?api-version=1.6</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="TokenSigningKey" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
    <Key Id="IssuerSigningKey" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName"/>
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="{service}" />
    <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{tenant}" />
    <OutputClaim ClaimTypeReferenceId="roles" />
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRolesClaimFromAppRoles" />
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

    In the ClaimsEndpoint metadata item, replace myorganization with your tenant's name.

    In the OutputClaimsTransformations section, add the following transformation:

    <OutputClaimsTransformation ReferenceId="CreateRolesClaimFromAppRoles" TransformationMethod="CreateStringClaim">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="appRoles" TransformationClaimType="roleIds" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringFormat" DataType="string" Value="{0}" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="roles" TransformationClaimType="createdClaim" />
  </OutputClaims>
</OutputClaimsTransformation>

    This transformation creates a roles claim in the token that contains the app roles assigned to the user.

    In your B2C application, you can use the roles claim to implement role-based access control.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it. Thank you, James

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.