Issue with getting UPN on a federated Azure AD B2C sign-up custom policy flow

Question

If I add Azure AD as an IDP to B2C using a built-in sign-up policy and sign-up with an existing Azure AD user (i.e. federation), the "placeholder" on B2C has a source of "Federated Azure Active Directory". The signed-up user has a UPN.

I can't seem to sign-in to B2C using a custom sign-in policy with that user name?

It says "Account does not exist. Please sign-up". I assume you can't mix and match built-in and custom?

I have to sign-up and sign-in using custom policies to get the sign-in to work.

In this case, the source of the "placeholder" is "Other".

The problem is that this signed-up user does not have a UPN.

Is there a way to get a UPN?

Or is this by design?

Answer 1

The reason is, the Issuer used in user flow is different to custom policy.

If you return the user via MS Graph (beta version), compare the Identities array of a user signed up via custom policy versus user flow (for AAD). The issuer will be different (login.microsoftonline.com vs sts.windows.net). The combination of Issuer and AAD objectId are used to create and locate the user. Due to the mismatch, a user signed up via AAD federation with a user flow can’t sign in via custom policy, account won’t be found.

By analysing the Identities object on the users, you can take the value of the Issuer property on the account created with user flow, and insert it into your AAD Custom Policy Technical Profile for the claim called “IdentityProvider”.

Change this

<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />

To

<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue=“ISSUER FROM USER FLOW USER” />

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-custom-policy#configure-azure-ad-as-an-identity-provider-1