azure-samples / active-directory-b2c-graph-trustframework-policy Goto Github PK

This Windows console app demonstrates how to call trustFrameworkPolicy operations using the Microsoft Graph client library with delegated admin permissions. This sample uses the Microsoft Authentication Library (MSAL) for authentication on the Azure AD v2.0 endpoint.

License: MIT License

C# 92.79% PowerShell 7.21%

active-directory-b2c-graph-trustframework-policy's Introduction

Manage custom polices in Azure AD B2C using Graph API

[!NOTE] This feature is now in public preview

This is a sample command line tool that demonstrates managing custom trust framework policies (custom policy for short) and Policy keys in an Azure AD B2C tenant. Custom policy allows you to customize every aspect of the authentication flow. Azure AD B2C uses Policy keys to manage your secrets.

Features

This sample demonstrates the following:

Create a custom policy
Read details of a custom policy
Update a custom policy
Delete a custom policy
List all custom policies

Getting Started

Prerequisites

This sample requires the following:

Quickstart

Create global administrator

An global administrator account is required to run admin-level operations and to consent to application permissions. (for example: [email protected])

Register the delegated permissions application

Sign in to the Application Registration Portal using your Microsoft account.
Select Add an app, and enter a friendly name for the application (such as Console App for Microsoft Graph (Delegated perms)). Click Create.
On the application registration page, select Add Platform. Select the Native App tile and save your change. The delegated permissions operations in this sample use permissions that are specified in the AuthenticationHelper.cs file. This is why you don't need to assign any permissions to the app on this page.
Open the solution and then the Constants.cs file in Visual Studio.
Make the Application Id value for this app the value of the ClientIdForUserAuthn string.
Update Tenant with the name of your tenant. (for example: myb2ctenantname.onmicrosoft.com)

Build and run the sample

Open the sample solution in Visual Studio.
Replace the tenant name and application id in Constants.cs by following Register the delegated permissions application
Build the sample.
Using cmd or PowerShell, navigate to /bin/Debug. Run the executable B2CPolicyClient.exe.
Sign in as a global administrator. (for example: [email protected])
The output will show the results of calling the Graph API for trustFrameworkPolices.

Questions and comments

Questions about this sample should be posted to Stack Overflow. Make sure that your questions or comments are tagged with [azure-ad-b2c].

Contributing

If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Resources

The sample uses the Microsoft Authentication Library (MSAL) for authentication. The sample demonstrates both delegated admin permissions. (app only permissions are not supported yet)

Delegated permissions are used by apps that have a signed-in user present (in this case tenant administrator). For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.

See Delegated permissions, Application permissions, and effective permissions for more information about these permission types.

active-directory-b2c-graph-trustframework-policy's People

Contributors

Stargazers

Watchers

Forkers

soorajpayyoor agrabhi jasjeetsuri chadhasbrook isabella232 tonyrdz ehtick

active-directory-b2c-graph-trustframework-policy's Issues

Registration at apps.dev.microsoft.com portal is deprecated

sample recommend to register at https://apps.dev.microsoft.com portal which is deprecated. Please update instruction

Grant type used by CI/CD example is not supported by Graph API

Please provide us with the following information:

This issue is for a: (mark with an `x`)

- [X] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Attempt to set up CI/CD following instructions in CICDINSTRUCTIONS.md

Any log messages given by the failure

At ...\DeployToB2c.ps1:23 char:15
+ ...   $response=Invoke-RestMethod -Uri $graphuri -Method Put -Body $polic ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Expected/desired behavior

Policy file posted without error

OS and Version?

Windows 10

Versions

Mention any other details that might be useful

Documentation states that the grant type used is not supported, see: https://docs.microsoft.com/en-us/graph/api/trustframework-put-trustframeworkpolicy?view=graph-rest-beta
I was able to update the policy by using Resource Owner Password Credentials flow (grant_type = password). This required creating a user in the directory with appropriate admin roll (B2C IEF Policy administrator).

Thanks! We'll be in touch soon.

Endpoints no longer exist or error

The endpoints no longer work as expected. They were working until end of last week (5th April 2019).

https://graph.microsoft.com/testcpimtf/trustFrameworkPolicies

{
  "error": {
    "code": "UnknownError",
    "message": "",
    "innerError": {
      "request-id": "66099be5-064a-49d1-8bb7-cb8df84e7230",
      "date": "2019-04-09T11:05:10"
    }
  }
}

Uploading a policy

https://graph.microsoft.com/testcpimtf/trustFrameworkPolicies/{id}/$value

{
  "error": {
    "code": "UnknownError",
    "message": "<Error><Message>No HTTP resource was found that matches the request URI 'https://cpim.windows.net/api/trustFrameworkPolicies('[REDACTED_ID]')/$value'.</Message><MessageDetail>No type was found that matches the controller named 'trustFrameworkPolicies('[REDACTED_ID]')'.</MessageDetail><StackTrace /></Error>",
    "innerError": {
      "request-id": "a8a6e45e-1c2b-439f-86d1-0546ab0aaf53",
      "date": "2019-04-09T11:13:32"
    }
  }
}

What have they changed to or have they been removed completely?

Fail to delete policy

Please provide us with the following information:

This issue is for a: (mark with an `x`)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

B2CPolicyClient delete "policy name"

Any log messages given by the failure

DELETE https://graph.microsoft.com/beta/trustFramework/policies/B2C_1A_signup_signin2/$value

Error Calling the Graph API HTTP Status=NotFound
Transfer-Encoding: chunked
request-id: 9306b0b6-a9cb-4e46-9f07-e5a7fc5bfcb6
client-request-id: 9306b0b6-a9cb-4e46-9f07-e5a7fc5bfcb6
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Japan East","Slice":"SliceC","Ring":"5","ScaleUnit":"002","RoleInstance":"AGSFE_IN_4","ADSiteName":"JPE"}}
Duration: 405.2022
Strict-Transport-Security: max-age=31536000
Cache-Control: private
Date: Mon, 15 Apr 2019 01:47:21 GMT

{
"error": {
"code": "UnknownError",
"message": "No HTTP resource was found that matches the request URI 'https://cpim.windows.net/graph/trustFramework/policies('B2C_1A_signup_signin2')/$value'.No action was found on the controller 'TrustFramework' that matches the request.",
"innerError": {
"request-id": "9306b0b6-a9cb-4e46-9f07-e5a7fc5bfcb6",
"date": "2019-04-15T01:47:22"
}
}
}

Expected/desired behavior

Successfully removed

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
Windows10

Versions

Mention any other details that might be useful

It was necessary for the deletion of custom policy to use "https://graph.microsoft.com/beta/trustFramework/policies/{0}".
It is not "https://graph.microsoft.com/beta/trustFramework/policies/{0}/$value".

Thanks! We'll be in touch soon.

azure-samples / active-directory-b2c-graph-trustframework-policy Goto Github PK

active-directory-b2c-graph-trustframework-policy's Introduction

Manage custom polices in Azure AD B2C using Graph API

Features

Getting Started

Prerequisites

Quickstart

Create global administrator

Register the delegated permissions application

Build and run the sample

Questions and comments

Contributing

Resources

active-directory-b2c-graph-trustframework-policy's People

Contributors

Stargazers

Watchers

Forkers

active-directory-b2c-graph-trustframework-policy's Issues

Please provide us with the following information:

This issue is for a: (mark with an x)

Minimal steps to reproduce

Any log messages given by the failure

Expected/desired behavior

OS and Version?

Versions

Mention any other details that might be useful

Please provide us with the following information:

This issue is for a: (mark with an x)

Minimal steps to reproduce

Any log messages given by the failure

Expected/desired behavior

OS and Version?

Versions

Mention any other details that might be useful

Recommend Projects

Recommend Topics

Recommend Org

This issue is for a: (mark with an `x`)

This issue is for a: (mark with an `x`)