Manage custom polices in Azure AD B2C using Graph API
This is a sample command line tool that demonstrates managing custom trust framework policies (custom policy for short) in an Azure AD B2C tenant. Custom policy allows you to customize every aspect of the authentication flow.
This sample demonstrates the following:
- Create a custom policy
- Read details of a custom policy
- Update a custom policy
- Delete a custom policy
- List all custom policies
This sample requires the following:
- Request access to the private preview. This API is in private preview and must be enabled for your test tenant. Please contact AADB2CPreview@microsoft.com with the name of your test tenant and 'custom policy APIs' in the title of your email. This feature is not yet ready for production tenants.
- Visual Studio
- Azure AD B2C tenant
NOTE: This API only accepts user tokens, and not application tokens. See more information below about Delegated Permissions.
Create global administrator
- An global administrator account is required to run admin-level operations and to consent to application permissions. (for example: email@example.com)
Register the delegated permissions application
- Sign in to the Application Registration Portal using your Microsoft account.
- Select Add an app, and enter a friendly name for the application (such as Console App for Microsoft Graph (Delegated perms)). Click Create.
- On the application registration page, select Add Platform. Select the Native App tile and save your change. The delegated permissions operations in this sample use permissions that are specified in the AuthenticationHelper.cs file. This is why you don't need to assign any permissions to the app on this page.
- Open the solution and then the Constants.cs file in Visual Studio.
- Make the Application Id value for this app the value of the ClientIdForUserAuthn string.
- Update Tenant with the name of your tenant. (for example: myb2ctenantname.onmicrosoft.com)
Build and run the sample
- Open the sample solution in Visual Studio.
- Replace the tenant name and application id in Constants.cs by following Register the delegated permissions application
- Build the sample.
- Using cmd or PowerShell, navigate to
/bin/Debug. Run the executable B2CPolicyClient.exe.
- Sign in as a global administrator. (for example: firstname.lastname@example.org)
- The output will show the results of calling the Graph API for trustFrameworkPolices.
[!NOTE] If you see
Unauthorized. Access to this Api requires feature: EnableIEFPoliciesGraphApisthen your tenant has not been enabled for this private preview. Please see Prerequisites.
Questions and comments
Questions about this sample should be posted to Stack Overflow. Make sure that your questions or comments are tagged with [azure-ad-b2c].
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
The sample uses the Microsoft Authentication Library (MSAL) for authentication. The sample demonstrates both delegated admin permissions. (app only permissions are not supported yet)
Delegated permissions are used by apps that have a signed-in user present (in this case tenant administrator). For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
See Delegated permissions, Application permissions, and effective permissions for more information about these permission types.