Azure AD B2C Graph API following login?

Question

We are using Azure AD B2C on a customer facing website. Users can complete a sign-up policy to register an account, and this is working successfully, with the isNew claim coming back when the user first completes the policy.

We want to add the user to a specific group on first login, based on some business logic. As I envision it, we will just add a handler for the SecurityTokenValidated notification, look at the isNew claim, and then update the new user as needed.

This appears to require use of the Graph API, but I'm unclear on how to finish setting up the AD B2C tenant and configure the Graph API to work server side in this case. How should I approach this case where the site needs to interact with the Graph API while the user is logged in?

Thanks for any pointers/examples.

Answer 1

How should I approach this case where the site needs to interact with the Graph API while the user is logged in?

As far as I know, the Azure AD B2C tenant only support the client credential flow to acquire the token for the Azure AD Graph.

At present, the OAuth2.0 authorization code flow for Azure AD B2C only support to acquire the token for your app's own backend web API(refer here ).

So in your scenario, you are not able to get the access token when the web app startup. You can get the app-only token when you needed. And as Shawn Tabrizi mentioned, if you were using the Active Directory Authentication Library, it will manage the lifetime of token using token cache by default.

More detail about Client Credential flow, you can refer this document those it works for the Microsoft Graph, however it is easy to change the resource to Azure AD Graph.