0
votes

I've followed the instructions here to set up the Azure AD multi-tenant custom policy in the Identity Experience Framework: https://docs.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom?tabs=applications

However I'm unable to get a claim back containing the email address (corresponding to the "user name" from the external active directory).

The main single-tenant active directory setup works fine, when I use this claim mapping (and the other "social" provider accounts work with PartnerClaimType="email"):

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn" />

However I've tried the following combinations for the multi-tenant, and I don't seem to be getting the data back from the provider:

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="mail" />

Please can someone let me know the correct claim mapping for this, to get the email output from the user flow?

1
I believe you are looking for unique_name, but you should do a token request to AAD using POSTman and see the token for yourself to map it properly.Jas Suri - MSFT
f my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). This can be beneficial to other community members. Thank you.Allen Wu

1 Answers

3
votes

What you are looking for is "preferred_username".

Add <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="preferred_username" /> into TrustFrameworkExtensions.xml file to see if it works.