HSD’s Dynamics 365 Practice Lead – Thanura Wijisiri has outlined the process he uses to update a user’s identity record using graph API. Microsoft Graph is RESTful web API that enables you to access Microsoft Cloud service resources. It allows access to Azure AD and Azure AD B2C services as well.
To update user’s account details in an Azure AD B2C instance from LogicApps, you will need an application registration with appropriate privileges.
To set this up:
1. Navigate to the Azure AD B2C instance and click Azure AD B2C under Azure services
2. Once the Azure AD B2C service is open, click on Application Registration
3. Within app registration window, click new registration
4. Give an appropriate name for the app registration, select supported account types to be “Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C.” and click Register.
5. Once the application registration is done, we need to secure it by adding a client secret or a certificate
a. To add a client secret or certificate navigate to “Certificates and Secrets” under the app registration navigation bar.
b. For this example a client secret is added. Copy this secret to be used in the LogicApp.
6. The next step is to assign privileges for the Graph API actions.
a. To add new permissions navigate to “API Permissions” under the app registration navigation bar and click Add Permission
b. Since we are about to update the user we would need application level access defined as per “Update User” command defined by Microsoft.
i. Permission type: Application
ii. Permissions: User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All
7. Once the permissions are added, grant admin consent to the permissions added
8. Once this is setup, copy the application registration details to be used in LogicApps
9. Now it is time to setup the Azure LogicApp
a. You have the option to setup the Azure LogicApp trigger on an event or as a http request or a webhook. However it is important to secure the call if doing so using Azure API Management or a Shared Access Signature (SAS).
b. Within your Azure LogicApp, click + to add a new action and select a http action to call Graph API
c. Setup the http action method as “PATCH”. This as per the graph API “Update User” command defined by Microsoft.
d. Setup the URI and header parameters as per the definition of the request.
i. URI = https://graph.microsoft.com/v1.0/users/< userobjectID of the user to update>
1. Authorization: <client secret from application registration>
2. Content-Type: application/json
e. Setup body of the request to update the attributes of the user record as per the definition.
i. Follow this link for user properties definition
ii. Follow this link for user identity definition
1. In the below example we are changing the email property of the user
2. Please note that if user identity “issuerAssignedId” is changed it will change the username of the user. The user will have to use the updated value for signing in.
3. It is very important to have email verification process to ensure the username or email address is not updated to a value that the user can verify.
iii. The following example displays how to change login email address (user identity) as well as primary and alternate email addresses.
f. Next step is to setup the authentication method for the http request
i. Click add new parameter in the HTTP action and select “Authentication”
ii. Select Authentication Type as “Active Directory OAuth”
iii. Tenant ID, Client ID and Credentials to be used from the app registration
iv. Audience to be “https://graph.microsoft.com”
Now you are all done and the LogicApp can be tested. You can perform the same updates programmatically as well. For more information around the management of user accounts using Microsoft Graph API, please visit the official documentation here.
To see how HSD’s technology teams can assist you with your system solution, please visit https://www.hsd.com.au/technology/ for more information..