使用此处记录的扩展API:

https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

与B2C Graph Client示例结合使用:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet

我使用此API通过AD Graph API为目录架构扩展创建了一个自定义属性:

POST 
https://graph.windows.net/contoso.onmicrosoft.com/applications/<applicationObjectId>/extensionProperties?api-version=1.6
{
    name: "OrgRoleId",
    dataType: "String",
    targetObjects: [
        "User"
    ]
}

(注意我将API版本更改为1.6) .

API创建的自定义属性使用B2CGraphClient示例显示,并且具有与通过Azure门户为B2C注册的数据相同的数据 .

但是,这些API创建的自定义属性不会出现在租户的Azure门户“用户属性”刀片中,而通过Azure门户为B2C租户创建的自定义属性也会出现 .

请注意,我可以成功地为用户读取和写入这些扩展值(通过Graph API) . 我只是不能将它们置于声明中,因为它们不是Azure门户中的用户属性“刀片”和策略声明刀片,因此它们不会作为声明添加到令牌中 .

我错过了什么/做错了什么?

输出 B2C.exe Get-extension-attribute <b2c-extensions-app objectId> . 出现 *_Test1 (已创建门户网站),而 *_UserRoleId 未显示(已创建API):

{
  "odata.metadata": "https://graph.windows.net/<tenant_id>/$metadata#directoryObjects/Microsoft.DirectoryServices.ExtensionProperty",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
      "objectType": "ExtensionProperty",
      "objectId": "f58bc813-632c-486b-bff1-61695eeab691",
      "deletionTimestamp": null,
      "appDisplayName": "",
      "name": "extension_<object_id>_Test1",
      "dataType": "String",
      "isSyncedFromOnPremises": false,
      "targetObjects": [
        "User"
      ]
    },
    {
      "odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
      "objectType": "ExtensionProperty",
      "objectId": "5e69b2d9-1ab0-463f-a231-5c188e92b4a1",
      "deletionTimestamp": null,
      "appDisplayName": "",
      "name": "extension_<object_id>_UserRoleId",
      "dataType": "String",
      "isSyncedFromOnPremises": false,
      "targetObjects": [
        "User"
      ]
    }
    ...
azure azure-active-directory azure-ad-b2c azure-ad-graph-api