使用 Graph 在 Azure B2C 中预创建联合用户 [英] Pre-Create Federated Users in Azure B2C Using Graph

问题描述

是否可以通过 Graph API 在 Azure B2C 中预先创建联合用户?这是场景:

Is it possible to pre-create federated users in Azure B2C via the Graph API? Here's the scenario:

我已将 Azure AD 租户作为 IdP 添加到我的 B2C 租户.但是，我不希望联合用户能够注册.我希望他们只有在 B2C 目录中已经存在时才能登录.因此，如果不是，他们会收到一条错误消息.所以我想我可以使用 Graph 创建联合用户.以下是我尝试使用的请求正文，但出现以下错误，说明 UPN 必须使用组织中的域之一.是否可以通过 Graph 实现我希望实现的目标?如果不是通过 Graph API，我该如何完成?不需要在自定义策略中调用 REST API.

I have added to my B2C tenant an Azure AD tenant as an IdP. However, I do not want federated users to be able to signup. I want them to only be able to signin if they are already present in the B2C directory. So, if they are not, they get an error message. So I was thinking I could create the federated users using Graph instead. Below is the request body I attempted to use but I get the error that follows, which says the UPN has to be using one of the domains in the organization. Is it possible to accomplish what I a looking to achieve with Graph? If not by Graph API, how can I accomplish? REST API call in custom policy is not desired.

{
    "givenName": "John",
    "identities": [
        {
            "signInType": "federated",
            "issuer": "abc.com",
            "issuerAssignedId": "jdoe@abc.com"
        }
    ],
    "surName": "Doe",
    "mail": "jdoe@abc.com",
    "accountEnabled": true,
    "displayName": "John Doe",
    "mailNickname": "jdoe",
    "userPrincipalName": "jdoe@abc.com",
    "passwordPolicies": "DisablePasswordExpiration"
}

{

    "error": {
        "code": "Request_BadRequest",
        "message": "The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.",
        "innerError": {
            "date": "2020-08-05T03:45:26",
            "request-id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxx"
        },
        "details": [
            {
                "target": "userPrincipalName",
                "code": "InvalidValue"
            }
        ]
    }
}
 

推荐答案

删除 "userPrincipalName": "jdoe@abc.com", 将解决此问题.

Remove "userPrincipalName": "jdoe@abc.com", will fix this issue.

Microsoft Graph 似乎不允许我们在为 Azure B2C 创建用户时设置 userPrincipalName.它将生成 userPrincipalName 作为 {object id}@abc.com.

Microsoft Graph seems not to allow us to set userPrincipalName when creating the user for Azure B2C. It will generate the userPrincipalName as {object id}@abc.com.

然后您可以更新 userPrincipalName.

PATCH https://graph.microsoft.com/v1.0/users/{object id}

{"userPrincipalName":"jdoe@abc.com"}

这篇关于使用 Graph 在 Azure B2C 中预创建联合用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！