1

We're having a problem with AAD-UserWriteUsingAlternativeSecurityId because AlternativeSecurityId exists, but, it derivates from ClaimTransformations which has receive two InputClaims

  1. issuerUserId
  2. issuer

The issue remains the same, but, issuerUserId changes and still remains the error message. I verified in the Graph Users endpoint if the new issuerUserId really exists, but the output was:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users",
    "value": []
}

The message displayed when AAD-UserWriteUsingAlternativeSecurityId fail is

"Message": "The technical Profile with id \"AAD-UserWriteUsingAlternativeSecurityId\" in Policy id \"B2C_1A_signup_signin_ahold_adfs of Tenant id \"arqlogindev.onmicrosoft.com\" requires that an error be raised if a claims principal record already exists for storing claims. A claims principal of type \"User\" with identifier claim type id \"alternativeSecurityId\" does already exist.",

One question to understand the entire scenario, how ClaimTransformation method "CreateAlternativeSecurityId" works internally to generate a unique key to Write user? Is possible query by alternativeSecurityId in Microsoft Graph Users endpoint (or is just identities object without the key/hash generated by claim transformations?)?

Reni Dantas
  • 117
  • 10

1 Answers1

1

AltSecId lives in the Identities array returned by dumping the user via MS Graph API beta/users/objectId endpoint.

It is just the combination of issuerUserId and issuer claim derived from the identity provider used in your b2c custom flow or user flow.

IssuerAssignedId is the objectId or id from the token that the federated IdP returns to b2c, and issuer is some value like facebook.com, that is decided by you.

The issue is you are writing a combination that already exists.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • The combination does not exist (there was a print above with value object empty), but, I have another question, the issuerAssignedId recognize domain (example, antonio@company.com) in concatenation or it just split and concatenate antonio with issuer domain, like antonio@facebook.com instead antonio@company.com@facebook.com? – Reni Dantas Mar 27 '22 at 07:03
  • Issuer is defined as an outputClaim with defaultValue in the technical profile for the federated identity provider. – Jas Suri - MSFT Mar 28 '22 at 08:04
  • Jas, the question was about the issuerAssignedId.. – Reni Dantas Mar 28 '22 at 14:41
  • issuerAssignedId is the unique id from the socialIdp. You can see this in the output claims mapping too. It’s never anything to do with email or domain name (by default). – Jas Suri - MSFT Mar 28 '22 at 23:20