How to access Email of an User on B2C using Graph API

Question

I want to know the email address of a user to send an email. On my application, people can sign up with social accounts (google/facebook/Microsoft) or local accounts. When creating a local account we use the email.

I found this info about how email is stored. https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies

Email address storage: An email address can be required as part of a user flow. If the user authenticates with a social identity provider, the email address is stored in the otherMails property. If a local account is based on a user name, then the email address is stored in a strong authentication detail property. If a local account is based on an email address, then the email address is stored in the signInNames property. The email address isn't guaranteed to be verified in any of these cases. A tenant administrator can disable email verification in the basic policies for local accounts. Even if email address verification is enabled, addresses aren't verified if they come from a social identity provider and they haven't been changed. Only the otherMails and signInNames properties are exposed through the Active Directory Graph API. The email address in the strong authentication detail property is not available

Not sure why the field "Mail" on the user is not being used... but using GraphApi:

I make a GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,otherMails,signInNames

Some emails appear on "mail", others on the array of "otherMails", and "singInNames" can't be selected :( doesn't show any info, so are some users that I can't get the info about the email.

How can I solve this? Only using Azure AD Graph instead of Microsoft Graph API, since on that API signInNames are returned?

Isn't there any way of storing the emails always on the same property? Or at least one that I have access on Microsoft Graph API? Using Custom policies only with Claims transformation?

Answer 1

The Microsoft Graph is the successor of the old Windows Graph. The Microsoft Graph doesn't support the signInNames property for Users object anymore. One has to filter on identities instead. However identities isn't part of the default property set of the User object so one has to select it. Once that's done, one can filter on identities using an any clause.

Note that filtering on issuerAssignedId can only be done when both issuerAssignedId and issuer are used in the filter clause.

GET: https://graph.microsoft.com/v1.0/Users?$select=id,identities&filter=identities/any(c:c/issuerAssignedId eq '{email}' and c/issuer eq '{issuer}')

Answer 2

In the Microsoft Graph API you can use:

GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,identities,otherMails

You can find the email of a local account in the identities collection.

In the BETA version of the Graph API (graph.microsoft.com/beta) the identities and otherMails properties are also returned without a $select, in the v1.0 version only when specified in the $select.

Answer 3

I managed to get the email for a Azure B2C user through the following Microsoft Graph API call:

https://graph.microsoft.com/v1.0/users?$select=identities

Answer 4

You need to collect the email addresses from different places such as mail, otherMails and signInNames through AD Graph API. signInNames is NOT available in Microsoft Graph API.

Note that in the case where users sign in with username + email validation, there is no way to retrieve the email used.

Or you could add a custom attribute in custom policy, where you can require users to type in their email address. After that, you could use AD Graph to get the custom attribute (A sample here).