问题描述
我正在尝试为Azure AD B2C租户中的现有用户更新 identities
集合.具体来说,我正在尝试为用户添加另一个联合
身份条目.
根据
此外,请注意,我们可以为Azure AD b2c本地用户添加一个身份提供程序.
I am trying to update the identities
collection for an existing User in an Azure AD B2C tenant. Specifically, I am attempting to add another federated
identity entry for the user.
According to the Microsoft Graph documentation this should be possible provided that I:
- Assign
User.ManageIdentities.All
permission to the client I am using to make the graph call - Send the entire existing identities collection, with the new identity entry appended (this also ensures that the existing identity with signInType
userPrincipalName
is also sent in the request)
I have registered an application in the B2C tenant and assigned it specific permissions to access Microsoft Graph. I am using Client Credentials flow to obtain an access token with the appropriate permissions in the roles
claim. I can successfully obtain an access token, and have confirmed the presence of the required permissions by examining the issued JWT.
I am also using the Microsoft.Graph SDK to make calls to the graph v1.0 endpoints from C# code. I have an existing user that I am trying to update, with a well-known userId (objectId). Using the access token and GraphServiceClient
I can successfully retrieve the user. For example, the following code works fine
var user = await client.Users[userId].Request()
.Select(o => new { o.Id, o.DisplayName, o.Identities })
.GetAsync();
After retrieving the user, I then attempt to add another entry to the identities
property for the user and issue an update graph call for the user. Note that the SDK requires update calls to only use objects created locally i.e. you can't send an existing object that was previously fetched via the SDK.
My complete update code is as follows
async Task TryUpdateUser(GraphServiceClient client, string userId)
{
var user = await client.Users[userId].Request()
.Select(o => new { o.Id, o.DisplayName, o.Identities })
.GetAsync();
// Need to re-create the existing identities since Graph client rejects existing items in requests
var identities = user.Identities.Select(o => new ObjectIdentity
{
SignInType = o.SignInType,
Issuer = o.Issuer,
IssuerAssignedId = o.IssuerAssignedId
}).ToList();
identities.Add(new ObjectIdentity
{
SignInType = "federated",
Issuer = "TestIssuer",
IssuerAssignedId = "testingId"
});
var updatedUser = new User
{
Identities = identities
};
await client.Users[userId].Request().UpdateAsync(updatedUser);
}
However, when UpdateAsync
is called an exception is thrown with response type BadRequest
. The error message states:
I'm clearly trying to create a federated user signInType, so the error message text referring to a non-federated user signInType is confusing me.
What am I doing wrong?
At the moment, we cannot migrate Azure AD b2c federated user from one Identity Provider to another Identity Provider and add another Identity Provider or non-federated Identity(userName or emailAddress) for the Azure AD b2c federated user. If you try to do that, you will get the error as above.
Besides, please note that we can add one Identity Provider for Azure AD b2c local user.
这篇关于如何使用Microsoft Graph和SDK更新现有B2C用户的身份集合的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!