Error when retrieving user using strongAuthenticationEmailAddress

Question

In my custom policy I am attempting to retrieve a user from the directory using the strongAuthenticationEmailAddress property as described in the following sample (line 135 in TrustFrameworkExtensions.xml), however this does not appear to be working as expected.

https://github.com/azure-ad-b2c/samples/tree/master/policies/force-unique-email-across-social-identities

<TechnicalProfile Id="AAD-UserReadUsingExternalIdpEmailAddress">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" Required="true" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="tempObjectId" PartnerClaimType="objectId"/>
          </OutputClaims>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>

After examining the traces in App Insights I found the following error.

"Exception": { "Kind": "Handled", "HResult": "80131500", "Message": "An error occurred while retrieving User using identifier claim type "strongAuthenticationEmailAddress" in tenant "XXX". Error returned was 400/Request_UnsupportedQuery: Property 'strongAuthenticationEmailAddress' does not exist as a declared property or extension property."

Am I missing something that needs to done before this will work?

Answer 1

You can only read a user by objectId, signInNames or alternativeSecurityId. This is an interface to the Microsoft Graph API, and this is limited by what it supports to retrieve an account by a unique identifier. StrongAuthEmail is not a unique identifier.