Reputation: 113
Looking up users in AAD B2C using extension attributes or unusual standard attributes
This is a follow-up to this question. I need to query Azure AD B2C to lookup a user using an employeeID which, for reasons related to what fields our account provisioning solution can deal with, is currently stored in the telephoneNumber field.
I have created an Azure Active Directory TechnicalProfile which specifies the telephone number as the InputClaim:
<TechnicalProfile Id="AAD-UserReadUsingEmployeeId">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided ID.</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="telephoneNumber" PartnerClaimType="employeeId" Required="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="telephoneNumber" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
However, when compiling this policy I get the error:
Input Claim 'telephoneNumber' is not supported in Azure Active Directory Provider technical profile 'AAD-UserReadUsingEmployeeId'
I understand from the documentation here that telephoneNumber can only be used as persistentClaim or OutputClaim... so I suppose I may be hitting that limitation. I thought I could wiggle out of this by querying Azure AD B2C using an extension attribute instead, but there I get confused:
- The answers to the question I linked to earlier state that you can't query Azure AD B2C through some random attribute, because the attribute needs to be unique
- The FIDO2 sample policy here does use an extension attribute to query Azure AD B2C and lookup a user, so it would appear to be possible in some conditions.
So, would I be correct in understanding that
- You can use any extension attribute to lookup a user in Azure AD B2C, and it's on you to ensure that the attribute values are unique
- You can't use most of the standard attributes (such as telephoneNumber) to look up users
Or is there something obvious I'm overlooking in the way I've configured the TechnicalProfile?
Upvotes: 1
Views: 535
Answers (1)
Reputation: 3485
These are correct:
- You can use any extension attribute to lookup a user in AAD B2C, and it's on you to ensure that the attribute values are unique
- You can't use most of the standard attributes (such as telephoneNumber) to look up users
Upvotes: 1
Related Questions
- Username Discovery in B2C
- Azure AD B2C - How to see user's extensions
- Azure B2C: Querying AAD using a custom claim?
- AAD B2C newUser Attribute
- Azure AD B2C get users with custom attributes
- Using custom attributes to store additional information about a user in Azure AD B2C
- How to read user by claim in AAD B2C custom policy?
- Look up user in AAD based on AADB2C attribute value
- Azure AD B2C built-in attributes using custom policies?
- Azure AD B2C Custom User Attributes