Close

Azure AD B2C via Logic App and Microsoft Graph

In a previous post, I explained how you can access Azure Active Directory from a logic app using the Azure Active Directory connector or Graph. To access Azure Active Directory B2C, you can’t use the Azure Active Directory connector. You will have to turn to Microsoft Graph, an alternative that was also explained in the previous post. First, you will have to add an app registration to Azure AD B2C. This is a manual action, that has the same effect as adding a managed identity for Azure AD. You can then access Microsoft Graph in logic apps via the HTTP action.

First you will have to login. To this end you will have to POST a message with content-type application/x-www-form-urlencoded (not the familiar application/json). Note that you pass the form value in format: name=value&name2=value2. Don’t enclose name and or value in single or double quotes. Don’t pass a regular json message. In this case with use an app and related service principal. That’s why you use a client_id and a client secret and not username/password.

The login action gives an access token that expires in one hour. In subsequent B2C calls, you will have to pass that access token via the Authorization header. In the call below we add a new user to B2C. For reference: Microsoft.com. Alternative site: Microsoft.com.

"Add User to AzureAD B2C": {
    "inputs": {
       "body": "@triggerBody()",
       "headers": {
          "Authorization": "@{concat('Bearer ', body('Azure_B2C_LogIn')?
                                                      ['access_token'])}",
          "Content-Type": "application/json"
       },
       "method": "POST",
       "retryPolicy": {
         "type": "none"
       },
       "uri": "https://graph.windows.net/[b2ctenant].onmicrosoft.com/users?api-
                                                                   version=1.6"
    },
    "runAfter": {},
    "type": "Http"
 },

Pass via trigger:

{
  "accountEnabled": "true",
  "signInNames": [                            
        {
            "type": "emailAddress",            
            "value": "paul.baars@citob2ctest.onmicrosoft.com"
        }
    ],
  "creationType": "LocalAccount",
  "displayName": "Paul Baars",
  "mailNickname": "Paul", 
  "passwordProfile" : {
    "forceChangePasswordNextLogin": true,
    "password": "password123456!"
  }
}
or for guest account:
{
  "accountEnabled": "true",
  "signInNames": [                            
        {
            "type": "emailAddress",            
            "value": "paul.baars@motion10.com"
        }
    ],
  "creationType": "LocalAccount",
  "displayName": "Paul Baars",
  "mailNickname": "PaulBaars", 
  "passwordProfile" : {
    "forceChangePasswordNextLogin": true,
    "password": "password123456!"
  }
}

First note that we use graph.windows.net instead of graph.microsoft.com. We have to use graph.windows.net if we want to be able to add guest accounts. Also note that we use forceChangePasswordNextLogin instead of forceChangePasswordNextSignIn. Strangely enough we can still use login.microsoftonline.com to login to Azure AD B2C.

As you can see from the above code snippet, we can use Azure AD B2C accounts (like paul.baars@citob2ctest.onmicrosoft.com) or so called guest accounts (like paul.baars@motion10.com). This is possible because we specify creationType=’LocalAccount’ or a so-called consumer account. We don’t explicitly specify a user principal name. The e-mail address must be specified under signInNames.

Also note that Azure AD B2C is billed per login action. The first 55000 calls are free. You can limit the number of calls if you store the login response with the access token in table storage. Before next login, you can then check the expiry date of the access token. If still valid, you can directly perforn your B2C calls without logging in first. The expiry date is a so-called EPoch timestamp, that is the number of seconds after UTC 1-1-1970T00:00:00Z. To get the EPoch timestamp of the current datetime, use the following formula: @{div(sub(ticks(utcNow()), 621355968000000000), 10000000)}. For more information, see this blog post.

A last note. When trying to access Azure AD B2C via logic apps, you can’t use managed identities. Managed identities can only be used in Azure Active Directory, because in that case the logic app is in the same tenant as Azure Active Directory. When using Azure AD B2C, you still add an app registration