Get userPrinciaplName using Azure B2C custom policy

Question

I am using Azure B2C custom policy to authenticate the user using Azure AD with OpenId Connect. For this, I have followed the steps mentioned in Set up sign-in with an Azure AD account by using custom policies - Azure AD B2C. All the information provided in the document seems to work fine.

Apart from the information provided in the jwt token, I also need the userPrincipalName (user@tenant.net). I need to have UPN because not all the users have the email in the tenant. So when I added userPrincipalName in the output claim, I get below output in the token.

"upn": "cpim_xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx@mytenant.onmicrosoft.com"

I want to know if it is possible to fetch the value of userPrincipalName as user@tenant.net and not as described above.

If feasible, how to achieve this?

Answer 1

No because the user in the directory has the UPN that you have found, in format cpim_xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx@mytenant.onmicrosoft.com.

This is because you cannot verify someone elses domain name to be able to populate the UPN with a domain name that is not mytenant.onmicrosoft.com.

Either store the email or pass through the email from the IdP. If the IdP gives an option to not pass through the email, eg Facebook consent process, you can force collect/verify the email at sign up.
https://github.com/azure-ad-b2c/samples/tree/master/policies/social-idp-force-email

From Azure AD, all users will come back with a unique_name claim, which is the UPN in their Azure AD. You could also rely on this. If you rely on the email claim from AAD, it will only be present if the user has an Exchange Online inbox.

Usually the UPN and Email are the same in an Azure AD. So in the AAD technical profile, you could add this output claim to capture the AAD UPN:

<OutputClaim ClaimTypeReferenceId="aadUPN" PartnerClaimType="unique_name"/>

Then in the relying party secion, add this output claim:

<OutputClaim ClaimTypeReferenceId="aadUPN" PartnerClaimType="UPNfromAAD"/>