Return emails on custom policies

Question

I'm using custom policies and I saw that the field "emails" that exists in built-in policies but doesn't exist in custom policies. There is a claim named otherMails instead.

I want to return an emails claim in my tokens with a list of user emails.
I want that claim on my signup/sign-in and password reset policies.

I'm using the custom policies in the starter pack. But I don't know which TechnicalProfiles should I change. I tried a few things but it doesn't work.

Thanks in advance!

Which starter pack are you using? LocalAccounts? SocialAccounts?SocialAndLocalAccounts? — Chris Padgett, Nov 06 '17 at 23:23
SocialAndLocalAccounts. I'm using local and facebook right now and I will add twitter soon. — Germán Svriz, Nov 07 '17 at 02:30

Chris Padgett · Accepted Answer · 2017-11-09T10:48:17.033

When writing a local account: You must create the "otherMails" claim from the "email" claim using the "CreateOtherMailsFromEmail" claims transformation and then persist the "otherMails" claim in the "AAD-UserWriteUsingLogonEmail" technical profile:

<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
  ...
  <IncludeInSso>false</IncludeInSso>
  <InputClaimsTransformations>
    <InputClaimsTransformation ReferenceId="CreateOtherMailsFromEmail" />
  </InputClaimsTransformations>
  <InputClaims>
    ...
  </InputClaims>
  <PersistedClaims>
    ...
    <PersistedClaim ClaimTypeReferenceId="otherMails" />
  </PersistedClaims>
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="otherMails" />
  </OutputClaims>
  ...
</TechnicalProfile>

You must then pass the "otherMails" claim out from the "LocalAccountSignUpWithLogonEmail" technical profile that is invoked to register a local account:

<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
    ...
    <OutputClaims>
        ...
        <OutputClaim ClaimTypeReferenceId="otherMails" />
    </OutputClaims>
</TechnicalProfile>

When writing a social account: The "otherMails" claim is already created from the "email" claim and then persisted in the "AAD-UserWriteUsingAlternativeSecurityId" technical profile.

You must then pass the "otherMails" claim out from the "SelfAsserted-Social" technical profile that is invoked to register a social account:

<TechnicalProfile Id="SelfAsserted-Social">
    ...
    <OutputClaims>
        ...
        <OutputClaim ClaimTypeReferenceId="otherMails" />
    </OutputClaims>
</TechnicalProfile>

When reading a local or social account: The "otherMails" claim is already read in the "AAD-UserReadUsingObjectId", "AAD-UserReadUsingEmailAddress", and "AAD-UserReadUsingAlternativeSecurityId" technical profiles.

You must then pass the "otherMails" claim out from the "LocalAccountDiscoveryUsingEmailAddress" technical profile that is invoked to recover a local password:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
    ...
    <OutputClaims>
        ...
        <OutputClaim ClaimTypeReferenceId="otherMails" />
    </OutputClaims>
</TechnicalProfile>

To issue the "otherMail" claim as "emails" from the sign-up/sign-in and password reset policies: You must add the "otherMails" claim as <OutputClaim /> to the relying party policies:

<RelyingParty>
    ...
    <TechnicalProfile Id="PolicyProfile">
        <OutputClaims>
            ...
            <OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
        </OutputClaims>
    </TechnicalProfile>
</RelyingParty>

Thanks for the details. I made every step. But now when I'm on the login form and click on the registration link at the bottom to create a new user I receive this message: 500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed. — Germán Svriz, Nov 07 '17 at 14:48
Apologies, @GermánSvriz, you must add the "otherMails" claim as an `` to the "AAD-UserWriteUsingLogonEmail" technical profile (as well as adding it as a ``). I've updated the first part of the above answer with this. — Chris Padgett, Nov 09 '17 at 10:50
Thanks! Its working! Where could I find documentation to learn how to modify this xml files? — Germán Svriz, Nov 10 '17 at 14:29
Documentation can be found at [here](https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/Documentation). This was drafted for the custom policies preview. Some of it is out-of-date. — Chris Padgett, Nov 20 '17 at 20:37

score 6 · Answer 2 · answered Aug 20 '18 at 09:42

6

For Chris Padgett's answer, you can add other emails (Alternate email) into the claim.

If you just want to add email claim from the SignIn name into the token, you can just take following steps:

Open your SignUporSignIn.xml file
Replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
Save this SignUporSignIn.xml file and upload it to Azure AD B2C to overwrite the policy.
Run the SignUporSignIn policy to test it. Here is my test result, you can see the email claim in the token:

answered Aug 20 '18 at 09:42

Wayne Yang

9,016
2
20
40

That was the solution, which really helped. Thank you so much! – Michael Cheremuhin Sep 25 '18 at 11:34
@MichaelCheremuhin No problem – Wayne Yang Sep 25 '18 at 12:54

Return emails on custom policies

2 Answers2

Linked