Manage custom polices in Azure AD B2C using Graph API
[!NOTE] This feature is now in public preview
This is a sample command line tool that demonstrates managing custom trust framework policies (custom policy for short) and Policy keys in an Azure AD B2C tenant. Custom policy allows you to customize every aspect of the authentication flow. Azure AD B2C uses Policy keys to manage your secrets.
This sample demonstrates the following:
- Create a custom policy
- Read details of a custom policy
- Update a custom policy
- Delete a custom policy
- List all custom policies
This sample requires the following:
NOTE: This API only accepts user tokens, and not application tokens. See more information below about Delegated Permissions.
Create global administrator
- An global administrator account is required to run admin-level operations and to consent to application permissions. (for example: firstname.lastname@example.org)
Register the delegated permissions application
- Sign in to the Application Registration Portal using your Microsoft account.
- Select Add an app, and enter a friendly name for the application (such as Console App for Microsoft Graph (Delegated perms)). Click Create.
- On the application registration page, select Add Platform. Select the Native App tile and save your change. The delegated permissions operations in this sample use permissions that are specified in the AuthenticationHelper.cs file. This is why you don't need to assign any permissions to the app on this page.
- Open the solution and then the Constants.cs file in Visual Studio.
- Make the Application Id value for this app the value of the ClientIdForUserAuthn string.
- Update Tenant with the name of your tenant. (for example: myb2ctenantname.onmicrosoft.com)
Build and run the sample
- Open the sample solution in Visual Studio.
- Replace the tenant name and application id in Constants.cs by following Register the delegated permissions application
- Build the sample.
- Using cmd or PowerShell, navigate to
/bin/Debug. Run the executable B2CPolicyClient.exe.
- Sign in as a global administrator. (for example: email@example.com)
- The output will show the results of calling the Graph API for trustFrameworkPolices.
Questions and comments
Questions about this sample should be posted to Stack Overflow. Make sure that your questions or comments are tagged with [azure-ad-b2c].
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
The sample uses the Microsoft Authentication Library (MSAL) for authentication. The sample demonstrates both delegated admin permissions. (app only permissions are not supported yet)
Delegated permissions are used by apps that have a signed-in user present (in this case tenant administrator). For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
See Delegated permissions, Application permissions, and effective permissions for more information about these permission types.