Search code examples
azureauthenticationmicroservicesazure-ad-b2cidentity

How can I leverage Azure AD B2C to create and manage users through a REST API?

I'm trying to create an application in a microservices architecture. I'm currently trying to figure out the authentication and authorization part. I've done some research and opted for Azure AD B2C as the identity provider.

What I want right now is a way to create users within my Azure AD B2C through an REST API that I will expose to my clients (web applications and mobile clients). I've been exploring the Azure AD B2C documentation (https://learn.microsoft.com/en-us/azure/active-directory-b2c/) for some time now, and even the Azure AD B2C interface, but all the information regarding signin and signup that I was able to find it's related to allow users to perform these actions via a customisable page with company branding.

That's not what I need. I want to expose several services behind an API gateway and allow my client applications to perform the creation, and management of my users. I want my mobile team to be able to call my API, register a user, perform signin, and be able to access the other business related services without even knowing if I'm using Azure AD B2C or not. But so far I was't able to find any Azure AD B2C API that will allow me to do that. Can I achieve that with Microsoft Azure AD B2C or should I start looking into other cloud identity providers?

Solution

  • If you want to manage Azure AD B2C users with Rest API, you can use Microsoft Graph API to implement it. For more details, please refer to the document and the document

    For example

    • Register application

      1. Sign in to the Azure portal.
      2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
      3. In the Azure portal, search for and select Azure AD B2C.
      4. Select App registrations (Preview), and then select New registration.
      5. Enter a Name for the application. For example, managementapp1.
      6. Select Accounts in this organizational directory only.
      7. Under Permissions, clear the Grant admin consent to openid and offline_access permissions check box.
      8. Select Register.
      9. Record the Application (client) ID that appears on the application overview page. You use this value in a later step.

    • Grant API permissions

      1. Under Manage, select API permissions.
      2. Under Configured permissions, select Add a permission.
      3. Select the Microsoft APIs tab, then select Microsoft Graph.
      4. Select Application permissions.
      5. Expand the appropriate permission group and select the check box of the permission to grant to your management application. For example: Directory > Directory.ReadWrite.All: For user migration or user management scenarios.
      6. Select Add permissions. As directed, wait a few minutes before proceeding to the next step.
      7. Select Grant admin consent for (your tenant name).
      8. Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.
      9. Select Accept.
      10. Select Refresh, and then verify that "Granted for ..." appears under Status. It might take a few minutes for the permissions to propagate.

    • Create Client secret

      1. Under Manage, select Certificates & secrets.
      2. Select New client secret.

    • Get access token

    POST https://login.microsoftonline.com/<your b2c tannat name >/oauth2/v2.0/token 

Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=<your sp appId>
&client_secret=<you sp password>
&scope=https://graph.microsoft.com/.default
    • Create User
    POST https://graph.microsoft.com/v1.0/users
Content-type: application/json
Authorization: Bearer <access_token>

{

      "displayName": "[TEST] Bridgette Harmon (Local account)",
      "givenName": "Bridgette",
      "surname": "Harmon",
      "identities": [
        {
             "signInType": "userName",
             "issuer": "<your b2c tenant>",
            "issuerAssignedId": "Bridgette"
        }
      ],

      "passwordProfile" : {
          "password": "password-value",
          "forceChangePasswordNextSignIn": false
        }
    }