0

I'm creating a custom policy in Azure AD B2C to let invited users sign in via another Azure AD (or even ADFS). The problem I have is that a new user gets created when they sign in (rather than the invited user). I have found that I have been trying to find existing user in my AAD using alternativesecurityid or objectid and both of these are not matching. So I think I need to find an existing user by email, and not any IDs. This too, is not working, because I can see my invited user's email is sitting in otherMails and mail properties (via GraphAPI), and apparently I cannot query B2C via these fields.

<TechnicalProfile Id="AAD-ReadUserByEmail">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="emailFromSocialAccount" PartnerClaimType="mail" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

Only <InputClaim ClaimTypeReferenceId="emailFromSocialAccount" PartnerClaimType="signInNames.emailAddress" Required="true" /> passes validation, but this field is not having any data.

How do I find the invited user?

Narayana
  • 2,654
  • 3
  • 32
  • 32
  • How are you inviting the user? Can you share a graph api dump of this “invited user”? – Jas Suri - MSFT Aug 28 '20 at 01:00
  • Do you mean the guest user in the Azure AD B2C -> User in the portal, and you cannot sign in with them? – unknown Aug 31 '20 at 02:21
  • Yes, the invite user flow (or via the graph api). It seems the objectid i get there, cannot be recreated when user signs in, and a new different object id is created. – Narayana Sep 03 '20 at 07:17
  • 1
    A guest user cannot be authenticated by a sign-in policy because policies are scoped to users that are created as local and social account users. The invite process creates Azure AD guest accounts not B2C accounts. The Guest user can be signed in using the social identity provider and the email address is stored in the `otherMails` property. Only the `otherMails` and `signInNames` properties are exposed through the Microsoft Graph API. – Raghavendra beldona Sep 26 '20 at 17:17
  • Is it possible to query otherMails or signInNames property? @Raghavendra-MSFTIdentity – Narayana Sep 28 '20 at 05:27
  • `signInNames` property is not available in the Graph API. You can get the email of the Azure AD B2C user with from identities collection using the query `https://graph.microsoft.com/beta/users/userid?select=identities` – Raghavendra beldona Sep 28 '20 at 10:09

0 Answers0