azure-ad-b2c - How to check if email and phone number match an existing user

Question

Before allowing the user to change their password, I'm trying to validate if their email and phone match an existing one in Azure B2C. If I remove the phone # and validate the email only it's all good, but if I try to validate the phone number with the email, I get the "specified credential could not be found" error.

I was wondering if someone could help me.

Here are my custom policies to verify it:

<TechnicalProfile Id="AAD-UserReadUsingEmailAddressAndPhoneNo">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true" />
            <InputClaim ClaimTypeReferenceId="signInNames.phoneNumber" Required="true" />
          </InputClaims>
          <OutputClaims>
            <!-- Required claims -->
            <OutputClaim ClaimTypeReferenceId="objectId" />
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
            <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
            <!-- Optional claims -->
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
            <OutputClaim ClaimTypeReferenceId="displayName" />
            <OutputClaim ClaimTypeReferenceId="accountEnabled" />
            <OutputClaim ClaimTypeReferenceId="otherMails" />
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
            <OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
          </OutputClaims>
          <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="AssertAccountEnabledIsTrue" />
          </OutputClaimsTransformations>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>

<ClaimType Id="signInNames.phoneNumber">
        <DisplayName>+1XXX</DisplayName>
        <DataType>phoneNumber</DataType>
        <DefaultPartnerClaimTypes>
          <Protocol Name="OpenIdConnect" PartnerClaimType="phone_number" />
        </DefaultPartnerClaimTypes>
        <UserHelpText>Phone Number that can be used to contact you.</UserHelpText>
        <UserInputType>TextBox</UserInputType>
      </ClaimType>

<ClaimsProvider>
      <DisplayName>Local Account</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress_Custom">
          <DisplayName>Reset password using email address</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
          </Metadata>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="email" Required="true" />
            <OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" Required="true" />
            <OutputClaim ClaimTypeReferenceId="objectId" />
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
            <OutputClaim ClaimTypeReferenceId="authenticationSource" />
            <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddressAndPhoneNo" />
          </ValidationTechnicalProfiles>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

Answer 1

You might want to verify that the phone number is being stored as signInNames.phoneNumber, instead of one of the other phone number types (like strongAuthenticationPhoneNumber). I know it sounds obvious, but sometimes it happens.

It might also help to break the check up into multiple parts. First check the email address and get the users phone number using UserReadUsingEmailAddress (or some variation of it), then use a second VTP to assert that the phone number you pulled from the account and the phone number the user typed in match.