I'm building an on-boarding webapp to provision users for my LOB app. Most of my customers are "business customers", meaning they will ordinarily be directed to the v1 common endpoint by a custom policy, allowing them to auth against their own AAD tenant. The challenge is new users need follow-on provisioning in the LOB app as well (create db user, assign some permissions, etc).
What I'd like to do as part of on-boarding is call graphAPI to create what will become the federated user account in b2c, then with the new user objectId that comes back handle follow-on setup specific to my LOB app. Ideally when the user arrives for the first time, they would be redirected to auth against their own AAD, then map to the pre-created user in b2c, and finally land in the LOB app with an objectId that is already provisioned and ready.
Is this a supported scenario with some creative use of custom policies and graphAPI?
Thanks Mark
You have the following options for this:
1. Create a local account user with the external email address
Using Azure AD Graph API, you can create a local account user, with the signInNames property of the user object being set to the email address of the external user:
Note: I recommend the accountEnabled property of the user object is set to true so that the end user can't log in with the local account password.
Using a custom policy, you can then add a new logic to find the local account user using the external email address and add the external user identity to this local account user, such as:
2. Create an external account user with the external user identity
Using Azure AD Graph API, you can create an external account user, with the userIdentities property of the user object being set to the object identifier of the external user:
where issuerUserId must be set to the base64 encoding for the object identifier of the external user.
Note: In the Azure AD OpenID Connect technical profile, you might have to change the claim mapping for the socialIdpUserId claim from the sub claim to the oid claim, so that it matches the userIdentities.issuerUserId property of the user object: