CAS 7.x with Azure AD B2C

[Pablo Vidaurri]

We created new instance of azure ad b2c (Entra).

I am able to include the azuread dependency and provide config for client-id, secret, tenant-id.

When attempting to login, I do get a token returned. Second step looks like it is making a call to https://graph.microsoft.com/v1.0/users/<user-id>.  In this case, the user-id is the email address the user provided at login. But I get a 404 returned.

Talking with Microsoft, they said I cannot use an email address as the identifier for this end point. I can only use a UPN or Object Id of the user. Both are cryptic hash values and would require that I store a mapping of either of those values to email address then possibly have a groovy transformation to replace user-id with object id value.

Has this feature been tested and a confirmed solution? I'm trying to figure out if there is a config issue on the CAS side, a setup issue on this new Azure AD B2C instance, or if the feature is not working yet in CAS.

Thanks.

-psv