Open in app

Sign in

Write

Sign in

The image shows a page in a book with a table. I thought it was a good metaphor for the user entries in the directory with the user’s attributes in the columns.
Photo by Denny Müller on Unsplash

Understanding the B2C Directory

Michael Collins
Neudesic Innovation
7 min readJan 14, 2022

--

In my last post, I promised that we were going to jump into building our first custom policy in this post. However, as the author of this series, I reserve the right to pivot when I feel like it is necessary to understand the next step, and in this case it’s kind of necessary. Before we start writing our first custom policy, I think that it is important to understand the data that is stored for users in the Azure Active Directory B2C directory. Instead of using a user database, B2C uses a directory and the user is an entity that exists in the directory. You can kind of think of a directory as a hierarchical data structure or graph. Users exist in a subgraph of the directory graph and are represented by individual nodes that model users. We are going to stop and look at what data is available out of the box for users.

This is the third post in a series documenting how to use Azure Active Directory B2C to implement a custom identity management solution for a Software-as-a-Service application. If you are new to this series, I recommend reviewing the previous posts in the series:

  1. Building Application Identity Solutions using Azure AD B2C
  2. Configure Azure AD B2C for Customization

User Data Attributes

Knowing what information is stored in the directory about users is important when building our custom policies. We need to understand what information that we need to collect from new users, and what information we can read out of the directory for users that have logged in. If we are going to add profile editing capabilities later on, it is important that we know what information we can collect and store for the user. And if we want to provide more details to the client application in the JSON web token, we need to know what we have.

For each directory attribute below, I indicate how the attribute can be used in a custom policy. We haven’t gotten to that point yet, but basically attributes can be used as an input to a function in a custom policy, it can be persisted to the directory, or it can be read from the directory and used in a custom policy. I tried to indicate the possible allowed values, but we’ll cover that more in a later post as we dive into custom policies.

The standard directory attribute for users are:

  • accountEnabled (boolean): true if the account is enabled, or false if the account is disabled. accountEnabled can be persisted to or read from the directory.
  • ageGroup (string): The user’s age group. ageGroup can be persisted to or read from the directory. Possible values are: null, Undefined, Minor, Adult, NotAdult
  • alternativeSecurityId (string): The user identity from an external identity provider (social media). alternativeSecurityId can be used as an input claim, or persisted to or read from the directory.
  • alternativeSecurityIds (alterativesecurityIdcollection): A collection of user identities from external identity providers. alternativeSecurityIds can be persisted to or read from the directory.
  • city (string): The city in which the user is located. city can be a maximum of 128 characters. city can be persisted to or read from the directory.
  • consentProvidedForMinor (string): Whether the consent has been provided for a minor. consentProvidedForMinor can be persisted to or read from the directory. Possible values are: null, granted, denied, notRequired.
  • country (string): The country/region in which the user is located. The maximum length of country is 128 characters. country can be persisted to or read from the directory.
  • createdDateTime (DateTime): The date the user object was created. createdDateTime can be persisted to or read from the directory.
  • creationType (string): If the user is a local user and uses password authentication, the value is LocalAccount or nameCoexistence. creationType can be persisted to or read from the directory.
  • dateOfBirth (Date): The user’s date of birth. dateOfBirth can be persisted to or read from the directory.
  • department (string): The name of the department that the user works for. The maximum length of department is 64 characters. department can be persisted to or read from the directory.
  • displayName (string): The display name for the user. The maximum length of displayName is 256 characters.
  • facsimileTelephoneNumber (string): The telephone number of the user’s business fax machine. facsimileTelephoneNumber can be persisted to or read from the directory.
  • givenName (string): The given or first name of the user. The maximum length of givenName is 64 characters. givenName can be persisted to or read from the directory.
  • jobTitle: The user’s job title. The maximum length of jobTitle is 128 characters. jobTitle can be persisted to or read from the database.
  • legalAgeGroupClassification (string): Calculated based on ageGroup and consentProvidedForMinor. legalAgeGroupClassification can be persisted to or read from the directory. Possible values are null, minorWithOutParentalConsent, minorWithParentalConsent, minorNoParentalConsentRequired, notAdult, adult.
  • legalCountry(string): The country or region for legal purposes. legalCountry can be persisted to or read from the directory.
  • mail (string): The user’s email address. mail can be persisted to or read from the directory.
  • mailNickName (string): The mail alias for the user. mailNickName can be a maximum of 64 characters. mailNickName can be persisted to or read from the directory.
  • mobile (string): The primary mobile telephone number for the user. mobile can be a maximum of 64 characters. mobile can be persisted to or read from the directory.
  • objectId (string): The globally unique identifier that is the unique identifier for the user. objectId can be used as an input claim, or persisted to or read from the directory.
  • otherMails (string collection): A list of other email addresses for the user. otherMails can be persisted to or read from the directory.
  • password(string): The password used to create the local account. password can be persisted to the directory.
  • passwordPolicies (string): The policy of the password. passwordPolicies is a string consisting of different policy names separated by a comma. passwordPolicies can be persisted to or read from the directory. Possible values are DisablePasswordExpiration, DisableStrongPassword.
  • physicalDeliveryOfficeName (string): The office location in the user’s place of business. physicalDeliveryofficeName can be a maximum of 128 characters.
  • postalCode (string): The postal code for the user’s postal address. The postal code is specific to the user’s country or region. The maximum length of postalCode is 40 characters. postalCode can be persisted to or read from the directory.
  • preferredLanguage (string): The user’s preferred language, based on RFC 4646. For example, US English would be en-US. preferredLanguage can be persisted to or read from the directory.
  • refreshTokensValidFromDate (DateTime): Any refresh tokens issued before this time will be considered invalid. refreshTokensValidFromDate can be read from the directory.
  • signInNames (string): The unique sign-in name of the local user. signInNames can be used as an input claim.
  • signInNames.userName (string): The unique username of the user in the directory. This attribute differs from signInNames because it allows access to multiple usernames for logging in. signInNames.username can be used as an input claim, or can be persisted to or read from the directory.
  • signInNames.phoneNumber (string): The unique phone number for the user in the directory. signInNames.phoneNumber allows the user to be able to log in using a phone number instead of a username. signInNames.phoneNumber can be used as an input claim, or can be persisted to or read from the directory.
  • signInNames.emailAddress (string): The unique email address of the user in the directory. signInNames.emailAddress can be used to allow the user to log in using their email address instead of a username. signInNames.emailAddress can be used as an input claim, or persisted to or read from the directory.
  • state (string): The state or province in the user’s address. state can be a maximum of 128 characters. state can be persisted to or read from the directory.
  • streetAddress (string): The street address of the user’s home or place of business. The maximum length of streetAddress is 1024 characters.
  • strongAuthenticationAlternativePhoneNumber (string): The secondary telephone number of the user, used for multi-factor authentication. strongAuthenticationAlternativePhoneNumber can be persisted to or read from the directory.
  • strongAuthenticationEmailAddress (string): The email address for the user to be used for a password reset flow. strongAuthenticationEmailAddress can be persisted to or read from the directory.
  • strongAuthenticationPhoneNumber (string): The primary telephone number for the user to use for multi-factor authentication. strongAuthenticationPhoneNumber can be persisted to or read from the directory.
  • surname (string): The user’s surname, family name, or last name. The maximum length of surname is 64 characters. surname can be persisted to or read from the directory.
  • telephoneNumber (string): The primary telephone number for the user. telephoneNumber can be persisted to or read from the directory.
  • userPrincipalName (string): The user principal name or UPN of the user. The UPN is an Internet-style login name of the user based on RFC 822. This property must be set when the user’s account is created. userPrincipalName can be used as an input claim, or persisted to or read from the directory.
  • usageLocation (string): A two letter country/region code. usageLocation is required for users that will be assigned licenses due to legal requirement to check for availability of services in countries/regions. usageLocation can be persisted to or read from the directory.
  • userType (string): Must be Member. userType can be persisted to or read from the directory.

Creating Extension Attributes

You are not limited to just the built-in attributes for your Azure Active Directory B2C tenant. You can extend the set of attributes to store custom data. Azure Active Directory B2C allows you to store up to 100 extension attributes to any user account.

What Did We Just Learn?

In this post, my goal was to briefly introduce you to the user profile in Azure Active Directory B2C’s directory and show you the type of information that can be stored in the directory. I also mentioned that we can extend the set of attributed by adding new extension attributes. I expect that you have confusion about how to use the attributes, and that’s fine. That was not the point of this post. But now you know what kind of information is available, it gives you some idea of the shape of the user objects in the directory and we can use these values as we build our custom policies.

The descriptions for the elements were borrowed or based on descriptions in the Azure Active Directory B2C Documentation.

Azure
Azure B2c
Security
Cloud

--

--

Neudesic Innovation
Neudesic Innovation

Published in Neudesic Innovation

57 Followers
Last published May 28

From design to development and support to management, Neudesic offers decades of experience, proven frameworks and a disciplined approach to quickly deliver reliable, quality solutions that help you go to market faster and get a leg up on your competition.

Michael Collins
Michael Collins

Written by Michael Collins

290 Followers
176 Following

Senior Director of Application Innovation at Neudesic; Software developer; confused father

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams