Manage Azure AD B2C with Microsoft Graph
Microsoft Graph allows you to manage resources in your Azure AD B2C directory. The following Microsoft Graph API operations are supported for the management of Azure AD B2C resources, including users, identity providers, user flows, custom policies, and policy keys. Each link in the following sections targets the corresponding page within the Microsoft Graph API reference for that operation.
Note
You can also programmatically create an Azure AD B2C directory itself, along with the corresponding Azure resource linked to an Azure subscription. This functionality isn't exposed through the Microsoft Graph API, but through the Azure REST API. For more information, see B2C Tenants - Create.
Prerequisites
- To use MS Graph API, and interact with resources in your Azure AD B2C tenant, you need an application registration that grants the permissions to do so. Follow the steps in the Register a Microsoft Graph application article to create an application registration that your management application can use.
User management
Note
Azure AD B2C currently does not support advanced query capabilities on directory objects. This means that there is no support for $count, $search query parameters and Not (not), Not equals (ne), and Ends with (endsWith) operators in $filter query parameter. For more information, see query parameters in Microsoft Graph and advanced query capabilities in Microsoft Graph.
User phone number management
A phone number that can be used by a user to sign-in using SMS or voice calls, or multifactor authentication. For more information, see Microsoft Entra authentication methods API.
Note, the list operation returns only enabled phone numbers. The following phone number should be enabled to use with the list operations.
Note
A correctly represented phone number is stored with a space between the country code and the phone number. The Azure AD B2C service doesn't currently add this space by default.
Software OATH token authentication method
A software OATH token is a software-based number generator that uses the OATH time-based one-time password (TOTP) standard for multifactor authentication via an authenticator app. Use the Microsoft Graph API to manage a software OATH token registered to a user:
Identity providers
Manage the identity providers available to your user flows in your Azure AD B2C tenant.
- List identity providers available in the Azure AD B2C tenant
- List identity providers configured in the Azure AD B2C tenant
- Create an identity provider
- Get an identity provider
- Update identity provider
- Delete an identity provider
User flow (beta)
Configure pre-built policies for sign-up, sign-in, combined sign-up and sign-in, password reset, and profile update.
Custom policies (beta)
The following operations allow you to manage your Azure AD B2C Trust Framework policies, known as custom policies.
- List all trust framework policies configured in a tenant
- Create trust framework policy
- Read properties of an existing trust framework policy
- Update or create trust framework policy.
- Delete an existing trust framework policy
Policy keys (beta)
The Identity Experience Framework stores the secrets referenced in a custom policy to establish trust between components. These secrets can be symmetric or asymmetric keys/values. In the Azure portal, these entities are shown as Policy keys.
The top-level resource for policy keys in the Microsoft Graph API is the Trusted Framework Keyset. Each Keyset contains at least one Key. To create a key, first create an empty keyset, and then generate a key in the keyset. You can create a manual secret, upload a certificate, or a PKCS12 key. The key can be a generated secret, a string, or a certificate you upload. If a keyset has multiple keys, only one of the keys is active.
Trust Framework policy keyset
- List the trust framework keysets
- Create a trust framework keysets
- Get a keyset
- Update a trust framework keysets
- Delete a trust framework keysets
Trust Framework policy key
- Get currently active key in the keyset
- Generate a key in keyset
- Upload a string based secret
- Upload a X.509 certificate
- Upload a PKCS12 format certificate
Applications
- List applications
- Create an application
- Update application
- Create servicePrincipal
- Create oauth2Permission Grant
- Delete application
Application extension (directory extension) properties
Application extension properties are also known as directory or Microsoft Entra extensions. To manage them in Azure AD B2C, use the identityUserFlowAttribute resource type and its associated methods.
- Create user flow attribute
- List user flow attributes
- Get a user flow attribute
- Update a user flow attribute
- Delete a user flow attribute
You can store up to 100 directory extension values per user. To manage the directory extension properties for a user, use the following User APIs in Microsoft Graph.
- Update user: To write or remove the value of the directory extension property from the user object.
- Get a user: To retrieve the value of the directory extension for the user. The property will be returned by default through the
betaendpoint, but only on$selectthrough thev1.0endpoint.
For user flows, these extension properties are managed by using the Azure portal. For custom policies, Azure AD B2C creates the property for you, the first time the policy writes a value to the extension property.
Note
In Microsoft Entra ID, directory extensions are managed through the extensionProperty resource type and its associated methods. However, because they are used in B2C through the b2c-extensions-app app which should not be updated, they are managed in Azure AD B2C using the identityUserFlowAttribute resource type and its associated methods.
Tenant usage
Use the Get organization details API to get your directory size quota. You need to add the $select query parameter as shown in the following HTTP request:
GET https://microsoftgraph.chinacloudapi.cn/v1.0/organization/organization-id?$select=directorySizeQuota
Replace organization-id with your organization or tenant ID.
The response to the above request looks similar to the following JSON snippet:
{
"directorySizeQuota": {
"used": 156,
"total": 1250000
}
}
Audit logs
For more information about accessing Azure AD B2C audit logs, see Accessing Azure AD B2C audit logs.
Conditional Access
- List the built-in templates for Conditional Access policy scenarios
- List all of the Conditional Access policies
- Read properties and relationships of a Conditional Access policy
- Create a new Conditional Access policy
- Update a Conditional Access policy
- Delete a Conditional Access policy
Retrieve or restore deleted users and applications
Deleted users and apps can only be restored if they were deleted within the last 30 days.
How to programmatically manage Microsoft Graph
You can manage Microsoft Graph in two ways:
- Delegated permissions either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.
- Application permissions are used by apps that do not require a signed in user present. Because of this, only administrators can consent to application permissions.
Note
Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.
Code sample: How to programmatically manage user accounts
This code sample is a .NET Core console application that uses the Microsoft Graph SDK to interact with Microsoft Graph API. Its code demonstrates how to call the API to programmatically manage users in an Azure AD B2C tenant. You can download the sample archive (*.zip), browse the repository on GitHub, or clone the repository:
git clone https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management.git
After you've obtained the code sample, configure it for your environment and then build the project:
Open the project in Visual Studio or Visual Studio Code.
Open
src/appsettings.json.In the
appSettingssection, replaceyour-b2c-tenantwith the name of your tenant, andApplication (client) IDandClient secretwith the values for your management application registration. For more information, see Register a Microsoft Graph Application.Open a console window within your local clone of the repo, switch into the
srcdirectory, then build the project:cd src dotnet buildRun the application with the
dotnetcommand:dotnet bin/Debug/netcoreapp3.1/b2c-ms-graph.dll
The application displays a list of commands you can execute. For example, get all users, get a single user, delete a user, update a user's password, and bulk import.
Note
For the application to update user account passwords, you'll need to grant the user administrator role to the application.
Code discussion
The sample code uses the Microsoft Graph SDK, which is designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.
Any request to the Microsoft Graph API requires an access token for authentication. The solution makes use of the Microsoft.Graph.Auth NuGet package that provides an authentication scenario-based wrapper of the Microsoft Authentication Library (MSAL) for use with the Microsoft Graph SDK.
The RunAsync method in the Program.cs file:
- Reads application settings from the appsettings.json file
- Initializes the auth provider using OAuth 2.0 client credentials grant flow. With the client credentials grant flow, the app is able to get an access token to call the Microsoft Graph API.
- Sets up the Microsoft Graph service client with the auth provider:
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System;
using System.Threading.Tasks;
using Microsoft.Graph;
using Azure.Identity;
using Microsoft.Identity.Client;
using System.Net.Http.Headers;
namespace b2c_ms_graph
{
public static class Program
{
static async Task Main(string[] args)
{
//<ms_docref_set_auth_provider>
// Read application settings from appsettings.json (tenant ID, app ID, client secret, etc.)
AppSettings config = AppSettingsFile.ReadFromJsonFile();
// Initialize the client credential auth provider
var scopes = new[] { "https://microsoftgraph.chinacloudapi.cn/.default" };
var clientSecretCredential = new ClientSecretCredential(config.TenantId, config.AppId, config.ClientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
//</ms_docref_set_auth_provider>
PrintCommands();
try
{
while (true)
{
Console.Write("Enter command, then press ENTER: ");
string decision = Console.ReadLine();
switch (decision.ToLower())
{
case "1":
await UserService.ListUsers(graphClient);
break;
case "2":
await UserService.GetUserById(graphClient);
break;
case "3":
await UserService.GetUserBySignInName(config, graphClient);
break;
case "4":
await UserService.DeleteUserById(graphClient);
break;
case "5":
await UserService.SetPasswordByUserId(graphClient);
break;
case "6":
await UserService.BulkCreate(config, graphClient);
break;
case "7":
await UserService.CreateUserWithCustomAttribute(graphClient, config.B2cExtensionAppClientId, config.TenantId);
break;
case "8":
await UserService.ListUsersWithCustomAttribute(graphClient, config.B2cExtensionAppClientId);
break;
case "9":
await UserService.CountUsers(graphClient);
break;
case "help":
Program.PrintCommands();
break;
case "exit":
return;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Invalid command. Enter 'help' to show a list of commands.");
Console.ResetColor();
break;
}
Console.ResetColor();
}
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"An error occurred: {ex}");
Console.ResetColor();
}
Console.ReadLine();
}
private static void PrintCommands()
{
Console.ResetColor();
Console.WriteLine();
Console.WriteLine("Command Description");
Console.WriteLine("====================");
Console.WriteLine("[1] Get all users");
Console.WriteLine("[2] Get user by object ID");
Console.WriteLine("[3] Get user by sign-in name");
Console.WriteLine("[4] Delete user by object ID");
Console.WriteLine("[5] Update user password");
Console.WriteLine("[6] Create users (bulk import)");
Console.WriteLine("[7] Create user with custom attributes and show result");
Console.WriteLine("[8] Get all users (one page) with custom attributes");
Console.WriteLine("[9] Get the number of useres in the directory");
Console.WriteLine("[help] Show available commands");
Console.WriteLine("[exit] Exit the program");
Console.WriteLine("-------------------------");
}
}
}
The initialized GraphServiceClient is then used in UserService.cs to perform the user management operations. For example, getting a list of the user accounts in the tenant:
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System;
using System.Collections.Generic;
using System.IO;
using System.Text.Json;
using System.Threading.Tasks;
using Microsoft.Graph;
namespace b2c_ms_graph
{
class UserService
{
//<ms_docref_get_list_of_user_accounts>
public static async Task ListUsers(GraphServiceClient graphClient)
{
Console.WriteLine("Getting list of users...");
try
{
// Get all users
var users = await graphClient.Users
.Request()
.Select(e => new
{
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
// Iterate over all the users in the directory
var pageIterator = PageIterator<User>
.CreatePageIterator(
graphClient,
users,
// Callback executed for each user in the collection
(user) =>
{
Console.WriteLine(JsonSerializer.Serialize(user));
return true;
},
// Used to configure subsequent page requests
(req) =>
{
Console.WriteLine($"Reading next page of users...");
return req;
}
);
await pageIterator.IterateAsync();
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
//</ms_docref_get_list_of_user_accounts>
public static async Task CountUsers(GraphServiceClient graphClient)
{
int i = 0;
Console.WriteLine("Getting list of users...");
try
{
// Get all users
var users = await graphClient.Users
.Request()
.Select(e => new
{
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
// Iterate over all the users in the directory
var pageIterator = PageIterator<User>
.CreatePageIterator(
graphClient,
users,
// Callback executed for each user in the collection
(user) =>
{
i += 1;
return true;
},
// Used to configure subsequent page requests
(req) =>
{
Console.WriteLine($"Reading next page of users. Number of users: {i}");
return req;
}
);
await pageIterator.IterateAsync();
Console.WriteLine("========================");
Console.WriteLine($"Number of users in the directory: {i}");
Console.WriteLine("========================");
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
public static async Task ListUsersWithCustomAttribute(GraphServiceClient graphClient, string b2cExtensionAppClientId)
{
if (string.IsNullOrWhiteSpace(b2cExtensionAppClientId))
{
throw new ArgumentException("B2cExtensionAppClientId (its Application ID) is missing from appsettings.json. Find it in the App registrations pane in the Azure portal. The app registration has the name 'b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.'.", nameof(b2cExtensionAppClientId));
}
// Declare the names of the custom attributes
const string customAttributeName1 = "FavouriteSeason";
const string customAttributeName2 = "LovesPets";
// Get the complete name of the custom attribute (Azure AD extension)
Helpers.B2cCustomAttributeHelper helper = new Helpers.B2cCustomAttributeHelper(b2cExtensionAppClientId);
string favouriteSeasonAttributeName = helper.GetCompleteAttributeName(customAttributeName1);
string lovesPetsAttributeName = helper.GetCompleteAttributeName(customAttributeName2);
Console.WriteLine($"Getting list of users with the custom attributes '{customAttributeName1}' (string) and '{customAttributeName2}' (boolean)");
Console.WriteLine();
// Get all users (one page)
var result = await graphClient.Users
.Request()
.Select($"id,displayName,identities,{favouriteSeasonAttributeName},{lovesPetsAttributeName}")
.GetAsync();
foreach (var user in result.CurrentPage)
{
Console.WriteLine(JsonSerializer.Serialize(user));
// Only output the custom attributes...
//Console.WriteLine(JsonSerializer.Serialize(user.AdditionalData));
}
}
public static async Task GetUserById(GraphServiceClient graphClient)
{
Console.Write("Enter user object ID: ");
string userId = Console.ReadLine();
Console.WriteLine($"Looking for user with object ID '{userId}'...");
try
{
// Get user by object ID
var result = await graphClient.Users[userId]
.Request()
.Select(e => new
{
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
if (result != null)
{
Console.WriteLine(JsonSerializer.Serialize(result));
}
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
public static async Task GetUserBySignInName(AppSettings config, GraphServiceClient graphClient)
{
Console.Write("Enter user sign-in name (username or email address): ");
string userId = Console.ReadLine();
Console.WriteLine($"Looking for user with sign-in name '{userId}'...");
try
{
// Get user by sign-in name
var result = await graphClient.Users
.Request()
.Filter($"identities/any(c:c/issuerAssignedId eq '{userId}' and c/issuer eq '{config.TenantId}')")
.Select(e => new
{
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
if (result != null)
{
Console.WriteLine(JsonSerializer.Serialize(result));
}
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
public static async Task DeleteUserById(GraphServiceClient graphClient)
{
Console.Write("Enter user object ID: ");
string userId = Console.ReadLine();
Console.WriteLine($"Looking for user with object ID '{userId}'...");
try
{
// Delete user by object ID
await graphClient.Users[userId]
.Request()
.DeleteAsync();
Console.WriteLine($"User with object ID '{userId}' successfully deleted.");
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
public static async Task SetPasswordByUserId(GraphServiceClient graphClient)
{
Console.Write("Enter user object ID: ");
string userId = Console.ReadLine();
Console.Write("Enter new password: ");
string password = Console.ReadLine();
Console.WriteLine($"Looking for user with object ID '{userId}'...");
var user = new User
{
PasswordPolicies = "DisablePasswordExpiration,DisableStrongPassword",
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = false,
Password = password,
}
};
try
{
// Update user by object ID
await graphClient.Users[userId]
.Request()
.UpdateAsync(user);
Console.WriteLine($"User with object ID '{userId}' successfully updated.");
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
public static async Task BulkCreate(AppSettings config, GraphServiceClient graphClient)
{
// Get the users to import
string appDirectoryPath = Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location);
string dataFilePath = Path.Combine(appDirectoryPath, config.UsersFileName);
// Verify and notify on file existence
if (!System.IO.File.Exists(dataFilePath))
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"File '{dataFilePath}' not found.");
Console.ResetColor();
Console.ReadLine();
return;
}
Console.WriteLine("Starting bulk create operation...");
// Read the data file and convert to object
UsersModel users = UsersModel.Parse(System.IO.File.ReadAllText(dataFilePath));
foreach (var user in users.Users)
{
user.SetB2CProfile(config.TenantId);
try
{
// Create the user account in the directory
User user1 = await graphClient.Users
.Request()
.AddAsync(user);
Console.WriteLine($"User '{user.DisplayName}' successfully created.");
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
}
public static async Task CreateUserWithCustomAttribute(GraphServiceClient graphClient, string b2cExtensionAppClientId, string tenantId)
{
if (string.IsNullOrWhiteSpace(b2cExtensionAppClientId))
{
throw new ArgumentException("B2C Extension App ClientId (ApplicationId) is missing in the appsettings.json. Get it from the App Registrations blade in the Azure portal. The app registration has the name 'b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.'.", nameof(b2cExtensionAppClientId));
}
// Declare the names of the custom attributes
const string customAttributeName1 = "FavouriteSeason";
const string customAttributeName2 = "LovesPets";
// Get the complete name of the custom attribute (Azure AD extension)
Helpers.B2cCustomAttributeHelper helper = new Helpers.B2cCustomAttributeHelper(b2cExtensionAppClientId);
string favouriteSeasonAttributeName = helper.GetCompleteAttributeName(customAttributeName1);
string lovesPetsAttributeName = helper.GetCompleteAttributeName(customAttributeName2);
Console.WriteLine($"Create a user with the custom attributes '{customAttributeName1}' (string) and '{customAttributeName2}' (boolean)");
// Fill custom attributes
IDictionary<string, object> extensionInstance = new Dictionary<string, object>();
extensionInstance.Add(favouriteSeasonAttributeName, "summer");
extensionInstance.Add(lovesPetsAttributeName, true);
try
{
// Create user
var result = await graphClient.Users
.Request()
.AddAsync(new User
{
GivenName = "Casey",
Surname = "Jensen",
DisplayName = "Casey Jensen",
Identities = new List<ObjectIdentity>
{
new ObjectIdentity()
{
SignInType = "emailAddress",
Issuer = tenantId,
IssuerAssignedId = "casey.jensen@example.com"
}
},
PasswordProfile = new PasswordProfile()
{
Password = Helpers.PasswordHelper.GenerateNewPassword(4, 8, 4)
},
PasswordPolicies = "DisablePasswordExpiration",
AdditionalData = extensionInstance
});
string userId = result.Id;
Console.WriteLine($"Created the new user. Now get the created user with object ID '{userId}'...");
// Get created user by object ID
result = await graphClient.Users[userId]
.Request()
.Select($"id,givenName,surName,displayName,identities,{favouriteSeasonAttributeName},{lovesPetsAttributeName}")
.GetAsync();
if (result != null)
{
Console.ForegroundColor = ConsoleColor.Blue;
Console.WriteLine($"DisplayName: {result.DisplayName}");
Console.WriteLine($"{customAttributeName1}: {result.AdditionalData[favouriteSeasonAttributeName].ToString()}");
Console.WriteLine($"{customAttributeName2}: {result.AdditionalData[lovesPetsAttributeName].ToString()}");
Console.WriteLine();
Console.ResetColor();
Console.WriteLine(JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true }));
}
}
catch (ServiceException ex)
{
if (ex.StatusCode == System.Net.HttpStatusCode.BadRequest)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"Have you created the custom attributes '{customAttributeName1}' (string) and '{customAttributeName2}' (boolean) in your tenant?");
Console.WriteLine();
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
}
}
Make API calls using the Microsoft Graph SDKs includes information on how to read and write information from Microsoft Graph, use $select to control the properties returned, provide custom query parameters, and use the $filter and $orderBy query parameters.
See also
- For code samples in JavaScript and Node.js, please see: Manage B2C user accounts with MSAL.js and Microsoft Graph SDK