This post is about how to add role claims to an Azure B2C user flow access token. Azure B2C comes with a standard set of built-in attributes like City, Display Name and Street Address. When configured these attributes can be returned to the calling application via the access token after the user has authenticated. Unfortunately, B2C does not have a built in attribute for roles or role based security. There is the ability to add roles as claims using custom policies. This post is about how to add role claims to an Azure B2C user flow access token without the need for a custom policy.

Add a custom attribute

First create a custom attribute and add it to the application claims in your log in user flow. Follow the tutorial below to add the custom attribute as an application claim in a log in user flow. However, this attribute should not be updated by the user during their log in journey, therefore there is a slight modification to the Use a custom attribute in your user flow step section from the link below. Skip step three which is to add the custom attribute as a User attribute. Adding this as a User attribute allows the user access to the attribute during their log in/sign up journey. By only adding the new custom attribute as an Application claim, the attribute will be returned only via the access token after the user has authenticated.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-user-flow

Use a custom attribute in your user flow

  1. In your Azure AD B2C tenant, select User flows.
  2. Select your policy (for example, “B2C_1_SignupSignin”) to open it.
  3. Select User attributes and then select the custom attribute (for example, “ShoeSize”). Select Save.
  4. Select Application claims and then select the custom attribute.
  5. Select Save.
Add Roles custom attribute to application claims B2C

View the newly added extension via the Graph API

View the newly added custom extension by using Microsoft Graph API. Follow this authenticate with MS Graph API tutorial for information on how to get an access token for MS Graph API. Once you have an access token with the appropriate permissions, send a GET request to https://graph.microsoft.com/v1.0/identity/userFlowAttributes to view the user flow attributes associated to your app. Each extension will be in the extension_{appId}_extensionName naming pattern.

Set new role claim for a user

Update a user record with the new extension value. Send a PATCH request to the https://graph.microsoft.com/v1.0/users/{{user id}} endpoint with the value for new Roles extension and Bearer token created above. The user id property is also referred to as the ObjectId of the user. Set the request body to the format for the extension: “extension_{{B2C Extension App Id}}_{Name of the extension}”. Here I’m adding a user to the role of “Admin”.

View new role claim in access token

Run the log in user flow by logging in with the user you updated the Roles extension with. You should now see the newly created role claim as “extension_Roles” with the value of “Admin”. Keep in mind that custom attribute extensions do not show up as Application claims for users who have not had the value applied to their account. Running the user flow with a user who has not had the extension_Roles value applied will return an access token that does not contain “extension_Roles” claim.