Configuring Azure AD B2C user authentication via Graph API

When Microsoft Azure Active Directory B2C (Azure AD B2C) is configured as the primary OAuth2 authentication provider, Collibra Data Quality & Observability relies on roles passed in the OAuth2 token from Azure AD B2C to grant user permissions. Microsoft Azure AD B2C does not offer a built-in UI for assigning arbitrary roles to users in custom attributes. Instead, you can use the Microsoft Graph API to populate these attributes.

This topic describes how to populate user roles in Azure AD B2C via Microsoft Graph API. It also provides additional details on role mapping within the Collibra DQ application. This topic assumes you have configured Azure AD B2C for user authentication and your users can successfully authenticate via Azure AD B2C (even if they currently receive a "No Access" message within the Collibra DQ application).

Populating user roles in Azure AD B2C via Microsoft Graph API

The following procedures are performed in the Azure AD B2C portal. You will create an application in Azure AD B2C specifically for interacting with the Microsoft Graph API, and then use it to update user-specific custom attributes (for example, extension_dqroles) that will contain the necessary role information. You must have an active Azure subscription with permissions to register applications and grant API permissions in your Azure AD B2C tenant. For general information on Graph API operations, refer to the Microsoft documentation, Managing Azure AD B2C with Microsoft Graph.

Note In this topic, you will manually set up a few users with roles to learn how the Collibra DQ application reads roles from a B2C Oauth2 token. In most enterprise environments, the property you create will need to be updated by some automated flow, script, or custom policy.

Create an API connector application for Graph API access

This application registration in Azure AD B2C will be used solely for authenticating to the Microsoft Graph API to manage user data.

  1. Navigate to Azure AD B2C in your Azure portal.
  2. Under Manage, click App registrations.
  3. Click New registration.
  4. Provide a meaningful name for your application (for example, "GraphAPI-Access").
  5. Under Supported account types, select Accounts in any organizational directory (Any Azure AD directory - Multitenant). This allows it to access Graph API.
  6. Click Register.
  7. Make note of the Application (client) ID. You will need it later.
  8. Select API permissions in the left-hand navigation.
  9. Click Add a permission.
  10. Select Microsoft Graph.
  11. Select Application permissions.
  12. Grant the following permissions:

    13. User.ReadWrite.All

  13. Click Add permissions.
  14. Click Grant admin consent for {your-tenant-name} and confirm the prompt. This step grants the necessary permissions for the application to act on behalf of the tenant.

Create a client secret for Graph API access

The client secret is a confidential key used by the GraphAPI application to authenticate with Azure AD B2C.

  1. In the GraphAPI-Access application's overview page, go to Certificates & secrets in the left-hand navigation.
  2. Click New client secret.
  3. Provide a description (for example, "GraphAPI App Secret") and set an expiration (for example, 24 months).
  4. Click Add.
  5. The client secret value displays. Copy this value immediately and store it securely. You will need it to obtain an access token for GraphAPI calls. This value will not be visible again once you leave this page.

    6. Azure AD B2C portal with client secret displayed

The client secret value is displayed only once. Copy this value immediately and store it securely.

Obtain an access token for Graph API

You will use both the Application (client) ID and the client secret value of the GraphAPI-Access application to obtain an OAuth2 access token. This example uses Postman as the API client.

  1. Open Postman.
  2. Create a new POST request.
  3. Set the URL to:

    4. <https://login.microsoftonline.com/{your-azure-b2c-tenant-name}.onmicrosoft.com/oauth2/v2.0/token>

  4. In the request Body, select x-www-form-urlencoded and add the following key-value pairs:
    • client_id: {The application (client) ID of your GraphAPI-Access application}
    • client_secret: {The client secret value that you copied for your GraphAPI-Access application}
    • grant_type: client_credentials
    • scope: <https://graph.microsoft.com/.default>
  5. Send the request.
  6. The response will include an access_token (a long string). Copy this token. It is valid for a limited time (for example, 1 hour).

Update user custom attribute via Graph API

Next, use the obtained access token to update the custom attribute (for example, extension_dqroles) for a specific user in Azure AD B2C. This attribute will contain the comma-separated roles for that user.

  1. Identify the user's Object ID. You need the unique id of the user you wish to update. Use one of the following methods:

    • In the Azure portal, go to Azure AD B2C > Users
    • Use a GET request via Graph API:

      • GET <https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName> eq '[email protected]'

  2. Create a new PATCH request in Postman.

  3. Set the URL to:

    4. <https://graph.microsoft.com/v1.0/users/{id-of-user-to-update}>

  4. In the request Headers, add:

    • Authorization: Bearer {access_token from prior step}
    • Content-Type: application/json

  5. In the request Body, select raw and JSON and enter the following JSON:

    6. Copy 
    {
       "extension_{the id of your b2c-extensions-app}_{custom-role-attribute-name}": "{role1},{role2}"
    }
    • {the id of your b2c-extensions-app}: This is the Application (client) ID of a special app that Azure AD B2C automatically creates for extensions. It's usually named something like b2c-extensions-app (it's typically the one with the description, "Do not modify used by AAD B2C for storing user data."). You can find its ID in App registrations in your Azure AD B2C tenant.
    • {custom-role-attribute-name}: The raw name of your custom attribute without extension_ (for example, dqroles).
    • "{role1},{role2}": The comma-separated list of roles you want to assign to this user (for example, dq-admin,dq-user). These role names should match the Provider Role (Source) values you configured in the Collibra DQ application's role mapping.
  6. In the Authorization tab, choose Bearer Token and paste in the access_token (a long string) that you obtained above.
  7. Send the request. A successful response will typically have the status code 204 No Content.

(Optional) Verify user custom attribute via Graph API

To confirm the roles have been updated, you can retrieve the user's details via Graph API.

  1. Create a new GET request in Postman.
  2. Set the URL to:

    3. <https://graph.microsoft.com/beta/users/{id-of-user-to-update}>

  3. In the request Headers, add:

    4. Authorization: Bearer {access_token from prior step}

  4. Send the request. The response JSON will include all user attributes, including your extension_{custom-role-attribute-name} with the assigned roles.

Test login with populated roles

After populating a user's custom role attribute via Graph API, perform a final login to confirm role access in Collibra DQ.

  1. Log out of Collibra DQ.

  2. Open the Collibra DQ login page, and click the Azure B2C login button.

  3. Sign in with the Azure AD B2C user account for which you just populated the custom role attribute.

  4. Upon successful login, the user should have the correct roles and access permissions based on the roles you assigned and mapped. You can verify the assigned roles in the user's profile within the Collibra DQ application.