Azure AD B2C Group Membership Custom policy

Question

Our current b2c custom policy extension property (where we store permissions) is limited to 255 characters. Therefore, we hit the limit of permissions and we need to expose AAD group memberships through Azure B2C Custom policy. How do we define the custom claim to expose group memberships of the current user in a token?

Answer 1

Either use this sample, which will present the groups in a better format in the token, but requires an API you have to host.

Or call the MS Graph directly from the Custom Policy as follows:

1. Get a token from AAD with user.read scope:
   https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api#using-oauth2-bearer

<TechnicalProfile Id="SecureREST-AccessToken">
  <DisplayName></DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ServiceUrl">https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token</Item>
    <Item Key="AuthenticationType">Basic</Item>
     <Item Key="SendClaimsIn">Form</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_SecureRESTClientId" />
    <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_SecureRESTClientSecret" />
  </CryptographicKeys>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="user.read" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

2. Then make a call to MS Graph:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange

https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile#metadata

        <TechnicalProfile Id="REST-GetGroupsFromMSGraph">
          <DisplayName>revoke my refresh token</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ServiceUrl">"https://graph.microsoft.com/beta/users/{objectId}/memberOf?$select=id"</Item>
            <Item Key="AuthenticationType">Bearer</Item>
            <Item Key="UseClaimAsBearerToken">bearerToken</Item>
            <Item Key="SendClaimsIn">Url</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="bearerToken"/>
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="groupsPayload" PartnerClaimType="value" />
          </OutputClaims>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>

The claim groupsPayload will contain the value:

[
    {
       "@odata.type": "#microsoft.graph.group",
       "id": "34af9ff3-ebfc-4bfb-9417-a86f5f499845"
    },
    {
      "@odata.type": "#microsoft.graph.group",
      "id": "7485108c-7715-49af-a296-ee1f7295958d"
    }
]

And the token will have the claim, including the escape characters, as follows:

"groupsPayload": [ "{ \"@odata.type\": \"#microsoft.graph.group\"", " \"id\": \"e06f5fd8-aee1-4e14-a692-dcde772c1465\" }" ],