以编程方式创建Azure AD B2C(预览)用户

时间:2016-05-18 15:18:17

标签: azure-ad-graph-api azure-ad-b2c

我最近尝试以编程方式在Azure AD B2C(预览)实例中创建用户。阻止我的部分只是试图检索一个令牌。到目前为止,我已经尝试过:

var clientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var clientSecret = @"xxxxxxxxxxxxxxxx";
var tenant = "xxxxxxxxxxxx.onmicrosoft.com";

var authContext = new AuthenticationContext("https://login.microsoftonline.com/" + tenant);

var credential = new ClientCredential(clientId, clientSecret);

var result = await authContext.AcquireTokenAsync("https://graph.windows.net", credential);

当执行到达最后一行尝试获取令牌时,我得到:

  

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException:AADSTS70001:此API版本不支持应用程序“xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”。

我可以从这个错误中推断出什么?是否意味着已暂时删除Azure AD B2C的图形访问权限?或者我需要启用某些功能吗?或者我是否有一个端点URL错误?

1 个答案:

答案 0 :(得分:2)

要连接到Graph API,您需要设置单独的clientId和secret。按照此B2C教程创建服务主体并附加3 Graph API权限:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

请务必使用ADAL v2(或刚刚发布的ADAL v3),而不是ADAL v4,这只是B2C的实验。

将来,MSAL图书馆将把所有这些结合在一起。

以下脚本允许您在1 powershell脚本中创建它:

$msolcred = Get-Credential
Connect-MsolService -credential $msolcred

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)

$principal = New-MsolServicePrincipal -DisplayName "Dummy" -Type password -Value $newClientSecret

Add-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -RoleMemberObjectId $principal.ObjectId -RoleMemberType servicePrincipal
Add-MsolRoleMember -RoleObjectId 9360feb5-f418-4baa-8175-e2a00bac4301 -RoleMemberObjectId $principal.ObjectId -RoleMemberType servicePrincipal
Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId $principal.ObjectId -RoleMemberType servicePrincipal

Write-Host "clientsecret = $newClientSecret"
Write-Host "clientId     =  $(($principal).AppPrincipalId)"
Write-Host "tenant       = $((Get-MsolDomain).Name)"