Unable to retrieve roles/groups from Azure B2C

Question

I'm using MSAL to perform authentication against Azure B2C. When a login is performed, I get a set of tokens. If I use:

authority: https://<<mytenent>>.b2clogin.com/<<mytenent>>.onmicrosoft.com/<<mypolicy>>

I get a id token and refresh token. But if I use

authority: https://login.microsoftonline.com/<<mytenent>>.onmicrosoft.com (deprecated)

I also get an access token.

What I want is to use B2C, my own sign-in policy and get an access token. And I need that access token to contain the list of roles and groups that the user belongs to.

But when I perform a login using b2c, I can only request scopes openid, offline_access and profile.

How do I get a list of roles and groups for a user in an access token using MSAL and B2C?

Answer 1

Note that: Group claims can be returned in standard Azure AD tenants by setting the Token Configuration blade of the registered application; however, since token issuance in Azure AD B2C is handled through IEF, this is not possible. Instead, the group claims must be added as output claims to the user flow or custom policy. Refer this MSQnA by Sandeep G-MSFT

Add custom attributes in Azure AD B2C tenant:

Application claims:

To get access token in Azure AD B2C, you must pass scope as the API:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_testpolicy/oauth2/v2.0/token

client_id:ClientID
scope:https://b2caadtenant.onmicrosoft.com/xxxx/access_as_userall
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

In the token, claims will be displayed:

I agree with @rbrayb you can call Microsoft Graph API to get the Group claims by referring to this GitHub Blog by damienbod

namespace AzureB2CUI
{
    public class GraphApiClaimsTransformation : IClaimsTransformation
    {
        private GraphApiClientService _graphApiClientService;
 
        public GraphApiClaimsTransformation(GraphApiClientService graphApiClientService)
        {
 
            _graphApiClientService = graphApiClientService;
        }
 
        public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
        {
            ClaimsIdentity claimsIdentity = new ClaimsIdentity();
            var groupClaimType = "group";
            if (!principal.HasClaim(claim => claim.Type == groupClaimType))
            {
                var nameidentifierClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";
                var nameidentifier = principal.Claims.FirstOrDefault(t => t.Type == nameidentifierClaimType);
 
                var groupIds = await _graphApiClientService.GetGraphApiUserMemberGroups(nameidentifier.Value);
 
                foreach (var groupId in groupIds.ToList())
                {
                    claimsIdentity.AddClaim(new Claim(groupClaimType, groupId));
                }
            }
 
            principal.AddIdentity(claimsIdentity);
            return principal;
        }

To get groups user is member of:

https://graph.microsoft.com/v1.0/users/UserID/memberOf/microsoft.graph.group

Reference:

Azure AD B2C - assigning group-based roles and creating custom roles