2

Azure AD B2C Custom Policy is failing validation and there is no reference to what is causing the validation error.

I already had custom policies defined for my application to start with and everything works fine prior to my adding a simple companyName string to the signup process. I followed the steps detailed in this guide to add a field to collect at signup. I ran into issues uploading the singup_signing custom policy after successfully uploading the TrustFrameworkBase policy. It was telling me that

Validation failed: 1 validation error(s) found in policy "B2C_1A_SIGNUP_SIGNIN" of tenant "xxxxx".Output Claim 'companyName' is not supported in Azure Active Directory Provider technical profile 'AAD-UserReadUsingObjectId' of policy 'B2C_1A_signup_signin'. If it is a claim with default value, add AlwaysUseDefaultValue="true" to the output claim mapping.

So I did as suggested and added the AlwaysUseDefaultValue="true" and DefaultValue="" attributes to the OutputClaim in the 'AAD-UserReadUsingObjectId' technical profile. This allowed me to upload the policy file successfully.

However, when I test the signup_signin policy, I get a message stating

Unable to validate the information provided.

I have Application Insights setup for this tenant as well and see the equally vague error message

Error returned was 400/Request_BadRequest: One or more property values specified are invalid.

I added the claim type to the claims schema in FrameworkBase

<ClaimType Id="companyName">
  <DisplayName>Company</DisplayName>
  <DataType>string</DataType>
  <UserHelpText>Your company</UserHelpText>
  <UserInputType>TextBox</UserInputType>
</ClaimType>

I added the PersistedClaim to TechnicalProfile 'AAD-UserWriteUsingLogonEmail' <PersistedClaim ClaimTypeReferenceId="companyName" />

I added the OutputClaim to TechnicalProfiles 'AAD-UserReadUsingEmailAddress' <OutputClaim ClaimTypeReferenceId="companyName" /> and 'AAD-UserReadUsingObjectId' <OutputClaim ClaimTypeReferenceId="companyName" AlwaysUseDefaultValue="true" DefaultValue="" />

I added the OutputClaim to signup_signin.xml as well <OutputClaim ClaimTypeReferenceId="companyName" />

I expect that the user is successfully signed up but get the validation error above instead

basquiatraphaeu
  • 525
  • 7
  • 19
David Millican
  • 61
  • 10

1 Answers1

1

That example uses "city".

"Your Azure AD B2C directory comes with a built-in set of attributes. Examples are Given Name, Surname, City, Postal Code, and userPrincipalName."

So "city" is in the schema.

I assume from the error that "companyName" isn't.

To add that, you use a custom attribute.

So it would be "extension_companyName".

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • 1
    So is the "extension_" prefix required for attributes that don't exist in the schema? – David Millican Jul 25 '19 at 12:47
  • 1
    Looks like you solved it but the answer is "Yes". Note the name is "expanded" if you access via the Graph API - https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet#use-custom-attributes – rbrayb Jul 25 '19 at 18:38
  • In case you have already added the custom attribute to the schema and the error persists, make sure the data types declared in the policy match the one on the portal, i.e. Graph API. – basquiatraphaeu Feb 03 '22 at 15:03