0

Note that this ties with a previous question, but I've gain a bit of a better understanding of Azure Active Directory (AAD) with custom policies.

Is it possible to query AAD by using a custom claim? For example, I want to use a claim called organizationName (extension_organizationName) to check whether it's already defined. If it was already defined, then I don't want to create the account.

Here's the claim provider that I wrote up to determine this:

    <ClaimsProvider>
      <DisplayName>Azure Active Directory</DisplayName>
        <TechnicalProfiles>
        <!--Demo: This technical profile tries to find a local account with provided email address-->
        <TechnicalProfile Id="AAD-UserReadOrganization-NoError">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="extension_organizationName" Required="true" />
          </InputClaims>
          <OutputClaims>
            <!-- Required claims -->
            <OutputClaim ClaimTypeReferenceId="tempOrganization"/>
          </OutputClaims>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

However, I got the same validation error that I've hit previously, but for a different reason:

Unable to validate the information provided.

If I can't query for an organization, then how else can I check if a custom claim value already exists inside AAD?

Joseph Woolf
  • 500
  • 5
  • 14

2 Answers2

1

You can not query Azure AD using random claims. You can query using only unique claims. From https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#inputclaims

To read, update, or delete an existing user account, the input claim is a key that uniquely identifies the account in Azure AD directory. For example, objectId, userPrincipalName, signInNames.emailAddress, signInNames.userName, or alternativeSecurityId.

If your scenario is to have organization name as unique, you can consider suffixing it in user principal name. A better explanation of scenario might help in answer.

Abhishek Agrawal
  • 2,183
  • 1
  • 17
  • 24
  • The organization name is only unique for the admin who creates an organizational account. Users who are invited by admin automatically share the same organization name – Joseph Woolf Feb 24 '21 at 22:36
  • You can keep this list of already created organizations in your database as well, instead of AzureAd. Then using RestAPI you can block or allow a registration. It will be faster. – Abhishek Agrawal Feb 24 '21 at 23:40
  • True. I'll go with that solution. Thanks – Joseph Woolf Feb 24 '21 at 23:41
1

As Abhishek stated you can not query AAD B2C using your custom extension_organizationName claim. An alternative solution would be to check if the organization claim is already present in the AAD by calling a custom REST API, which queries the AAD via the Graph API (similar to the way it is described in this blogpost).

Barbara
  • 191
  • 1
  • 3