如何使用 Microsoft Graph 和 SDK 更新现有 B2C 用户的身份集合 [英] How to update identities collection for existing B2C User using Microsoft Graph and SDK
问题描述
I am trying to update the identities collection for an existing User in an Azure AD B2C tenant. Specifically, I am attempting to add another federated identity entry for the user.
According to the Microsoft Graph documentation this should be possible provided that I:
- Assign
User.ManageIdentities.Allpermission to the client I am using to make the graph call - Send the entire existing identities collection, with the new identity entry appended (this also ensures that the existing identity with signInType
userPrincipalNameis also sent in the request)
I have registered an application in the B2C tenant and assigned it specific permissions to access Microsoft Graph. I am using Client Credentials flow to obtain an access token with the appropriate permissions in the roles claim. I can successfully obtain an access token, and have confirmed the presence of the required permissions by examining the issued JWT.
I am also using the Microsoft.Graph SDK to make calls to the graph v1.0 endpoints from C# code. I have an existing user that I am trying to update, with a well-known userId (objectId). Using the access token and GraphServiceClient I can successfully retrieve the user. For example, the following code works fine
var user = await client.Users[userId].Request()
.Select(o => new { o.Id, o.DisplayName, o.Identities })
.GetAsync();
After retrieving the user, I then attempt to add another entry to the identities property for the user and issue an update graph call for the user. Note that the SDK requires update calls to only use objects created locally i.e. you can't send an existing object that was previously fetched via the SDK.
My complete update code is as follows
async Task TryUpdateUser(GraphServiceClient client, string userId)
{
var user = await client.Users[userId].Request()
.Select(o => new { o.Id, o.DisplayName, o.Identities })
.GetAsync();
// Need to re-create the existing identities since Graph client rejects existing items in requests
var identities = user.Identities.Select(o => new ObjectIdentity
{
SignInType = o.SignInType,
Issuer = o.Issuer,
IssuerAssignedId = o.IssuerAssignedId
}).ToList();
identities.Add(new ObjectIdentity
{
SignInType = "federated",
Issuer = "TestIssuer",
IssuerAssignedId = "testingId"
});
var updatedUser = new User
{
Identities = identities
};
await client.Users[userId].Request().UpdateAsync(updatedUser);
}
However, when UpdateAsync is called an exception is thrown with response type BadRequest. The error message states:
Message: Adding a non-federated user signInType is not permitted if the user only has social/federated identities or no identities set. Please recreate the user with a non-federated identity along with existing identities if any.
I'm clearly trying to create a federated user signInType, so the error message text referring to a non-federated user signInType is confusing me.
What am I doing wrong?
At the moment, we cannot migrate Azure AD b2c federated user from one Identity Provider to another Identity Provider and add another Identity Provider or non-federated Identity(userName or emailAddress) for the Azure AD b2c federated user. If you try to do that, you will get the error as above.
Besides, please note that we can add one Identity Provider for Azure AD b2c local user.
这篇关于如何使用 Microsoft Graph 和 SDK 更新现有 B2C 用户的身份集合的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
