User already exists with AlternativeSecurityId with another issuerUserId/issuerAssignedId

Question

We're having a problem with AAD-UserWriteUsingAlternativeSecurityId because AlternativeSecurityId exists, but, it derivates from ClaimTransformations which has receive two InputClaims

1. issuerUserId
2. issuer

The issue remains the same, but, issuerUserId changes and still remains the error message. I verified in the Graph Users endpoint if the new issuerUserId really exists, but the output was:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users",
    "value": []
}

The message displayed when AAD-UserWriteUsingAlternativeSecurityId fail is

"Message": "The technical Profile with id \"AAD-UserWriteUsingAlternativeSecurityId\" in Policy id \"B2C_1A_signup_signin_ahold_adfs of Tenant id \"arqlogindev.onmicrosoft.com\" requires that an error be raised if a claims principal record already exists for storing claims. A claims principal of type \"User\" with identifier claim type id \"alternativeSecurityId\" does already exist.",

One question to understand the entire scenario, how ClaimTransformation method "CreateAlternativeSecurityId" works internally to generate a unique key to Write user? Is possible query by alternativeSecurityId in Microsoft Graph Users endpoint (or is just identities object without the key/hash generated by claim transformations?)?

Answer 1

AltSecId lives in the Identities array returned by dumping the user via MS Graph API beta/users/objectId endpoint.

It is just the combination of issuerUserId and issuer claim derived from the identity provider used in your b2c custom flow or user flow.

IssuerAssignedId is the objectId or id from the token that the federated IdP returns to b2c, and issuer is some value like facebook.com, that is decided by you.

The issue is you are writing a combination that already exists.