4

I am using Azure AD B2C and custom policies to manage users and give sign in experience. I noticed that there is an inbuilt(not a custom extension) attribute name companyName which i am updating with user's company information. I am able to update this filed value via graph API and retrieve it respectively. Once this value is updated i am trying to include this in claims and send to client application however i am running into an issue. I have made sure to include a claim in TrustFrameworkBase policy like below

<ClaimType Id="companyName">
        <DisplayName>companyName</DisplayName>
        <DataType>string</DataType>
</ClaimType>

Also i have updated AAD-UserReadUsingObjectId techincal profile which is responsible for making a graph call (after successful authentication) and get all user attributes. here is definition for AAD-UserReadUsingObjectId technical profile

<TechnicalProfile Id="AAD-UserReadUsingObjectId">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          </InputClaims>
          <OutputClaims>
            <!-- Optional claims -->
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
            <OutputClaim ClaimTypeReferenceId="displayName" />
            <OutputClaim ClaimTypeReferenceId="mobile" />
            <OutputClaim ClaimTypeReferenceId="country" />
            <OutputClaim ClaimTypeReferenceId="postalCode" />
            <OutputClaim ClaimTypeReferenceId="state" />
            <OutputClaim ClaimTypeReferenceId="company" />
            <OutputClaim ClaimTypeReferenceId="companyName" />
            <OutputClaim ClaimTypeReferenceId="surname" />
            <OutputClaim ClaimTypeReferenceId="givenName" />
            <OutputClaim ClaimTypeReferenceId="email" />
            <OutputClaim ClaimTypeReferenceId="objectId" />
            <!--Adding custom attribute start-->
            <OutputClaim ClaimTypeReferenceId="otherMails" />
            <OutputClaim ClaimTypeReferenceId="extension_UserGuid" />
            <OutputClaim ClaimTypeReferenceId="extension_StatusFlag" />
            <OutputClaim ClaimTypeReferenceId="extension_EZUserName" />
            <OutputClaim ClaimTypeReferenceId="CurrentTime" />
            <!--Adding custom attribute end-->
          </OutputClaims>
          <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="GetSystemDateTime" />
          </OutputClaimsTransformations>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

and finally i have included this companyName claim in user journey output claims.

Even after doing all this i noticed that companyName claim is not inside the token returned by azure AD B2C. To trouble shoot further i enabled application insight for my policies and i observed a weird behavior.

When Azure AD B2C makes a graph call while executing AAD-UserReadUsingObjectId technical profile it forms a query something like below https://graph.windows.net/f17d6207-7c3a-4d29-b802-ad5429b2a8d8/users/77669822-8034-4666-9800-8b614c0ccbfc?api-version=1.6-integrationOnly and output of this graph api call does not include companyName attribute at all however when i make graph api call with similar query using my application id and secrete i do see companyName in the response. The only difference in the query which Azure AD B2C call vs i am calling the last part in api url. Azure AD B2C has -integrationOnly at the end where as i dont. I am not sure why graph API call response is differnet when Azure AD B2C makes it vs when i make it.

I can solve this issue by simply adding a new custom extension field and using that instead of companyName but my point is why i should create a custom attribute when one is provided out of the box and more importantly it will require me to fix about 1 million existing users. has anyone come across this type of issue. Any help would be great!

Thanks in Advance!

Rupesh Kumar prasad
  • 153
  • 10

1 Answers1

3

CompanyName is an O365 built in attribute. B2C uses integration-only api version in the backend for its own calls as you’ve seen. The only solution is to use the extension attribute. A script to PATCH the users can fix 1million users in around 12hrs. When using custom policy, stick to your own custom attributes, there is no real advantage trying to use default attribute names, only sometimes you find disadvantages. Custom policy only needs you to declare the attribute name as extension_ and it works just like any built in attribute.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Thanks Jas. I have already stepped forward with using built in attributes so at this point changing them is not an option however going forward for new fields i can do that. my main question is why integration-only api call would give only subset of attributes, it looks like integration-only api has a bug which need to be addressed by MS else possibly it may skip custom attributes. As i said in my question this can be easily done by custom attribute but my point is the how we can trust integration-only api if it is not returning all the fields. i will reach out to MS seeking clarification. – Rupesh Kumar prasad Dec 05 '19 at 17:50