Get email (username) in Claims azure ad b2c signed In with AzureAd like a Social account

2
votes

I am using starter pack of custom polices with the SocialAndLocalAccounts package to sign in with an Azure Active Directory account.

I customized the flows with custom attributes and it works well for me. I need to receive the email used for the login (username = email).

In RelyingParty I have this OutputClaims

<OutputClaim ClaimTypeReferenceId = "signInName" />
<OutputClaim ClaimTypeReferenceId = "signInNames.emailAddress" PartnerClaimType = "email" />
<OutputClaim ClaimTypeReferenceId = "otherMails" />

When a user signs-in with a local b2c account, I get the email in "signInName" and "email" claims, but when a user signs-in with an AzureAd account , the claims are empty.

How can I get the email? How must I write the custom policies (TrustFrameworkBase and TFExtensions) ?

Can you help me ?

1
azure-ad-b2c

1 Answers

1
votes

When the Azure AD identity is signed-in with for the first time, you must map from the upn claim that is issued by Azure AD to the email claim that is used by Azure AD B2C, so that this email claim can be:

  1. Written as the otherMails property in the user object to the Azure AD B2C directory.
  2. Issued by Azure AD B2C in the ID token to the client application.

To map from the upn claim that is issued by Azure AD to the email claim that is used by Azure AD B2C, add a new <OutputClaim /> to the Azure AD authentication technical profile:

<ClaimsProvider>
  <Domain>commonaad</Domain>
  <DisplayName>Common AAD</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Common-AAD">
      <DisplayName>Multi-Tenant AAD</DisplayName>
      <Protocol Name="OpenIdConnect" />
      ...
      <OutputClaims>
        ...
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn" />
      </OutputClaims>
      ...
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

The AAD-UserWriteUsingAlternativeSecurityId technical profile converts the email claim to the otherMails claim by invoking the CreateOtherMailsFromEmail claims transformation and then saves the otherMails claim to the user object.

To issue the email claim in the ID token to your client application, add a new <OutputClaim /> to the relying party technical profile:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    ...
    <OutputClaims>
      ...
      <OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
    </OutputClaims>
    ...
  </TechnicalProfile>
</RelyingParty>