Reputation: 550
Azure B2C: Querying AAD using a custom claim?
Note that this ties with a previous question, but I've gain a bit of a better understanding of Azure Active Directory (AAD) with custom policies.
Is it possible to query AAD by using a custom claim? For example, I want to use a claim called organizationName (extension_organizationName) to check whether it's already defined. If it was already defined, then I don't want to create the account.
Here's the claim provider that I wrote up to determine this:
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<!--Demo: This technical profile tries to find a local account with provided email address-->
<TechnicalProfile Id="AAD-UserReadOrganization-NoError">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_organizationName" Required="true" />
</InputClaims>
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="tempOrganization"/>
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
However, I got the same validation error that I've hit previously, but for a different reason:
Unable to validate the information provided.
If I can't query for an organization, then how else can I check if a custom claim value already exists inside AAD?
Upvotes: 0
Views: 472
Answers (2)
Reputation: 381
As Abhishek stated you can not query AAD B2C using your custom extension_organizationName claim. An alternative solution would be to check if the organization claim is already present in the AAD by calling a custom REST API, which queries the AAD via the Graph API (similar to the way it is described in this blogpost).
Upvotes: 1
Reputation: 2287
You can not query Azure AD using random claims. You can query using only unique claims. From https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#inputclaims
To read, update, or delete an existing user account, the input claim is a key that uniquely identifies the account in Azure AD directory. For example, objectId, userPrincipalName, signInNames.emailAddress, signInNames.userName, or alternativeSecurityId.
If your scenario is to have organization name as unique, you can consider suffixing it in user principal name. A better explanation of scenario might help in answer.
Upvotes: 1
Related Questions
- Looking up users in AAD B2C using extension attributes or unusual standard attributes
- How to use client credentials to pass query parameters in a custom policy
- Azure AD B2C Custom Policies - Include EmployeId claim
- Azure AD B2C: How to reference built in claims in custom policies?
- Obtain custom claims from CosmosDB in B2C policy
- Azure B2C: Custom claim isn't written into AAD via custom policy
- How to read user by claim in AAD B2C custom policy?
- Is it possible to get Azure AD B2C to include the aud in calls to custom claims REST API?
- How do I get Azure AD B2C's built-in claims to be returned in the token when I'm using a custom policy?
- Azure AD B2C Add Claims to id_token in custom policy