1

I have a web application that uses Azure AD B2C, with custom policies, for security. When I look at the user accounts in the Azure AD B2C portal, I can see an editable Employee Id field. This field would be very handy to store an internal company employee Id, but I would like to include this field as an output claim in the auth token.

enter image description here

I've read the various documentation about the user profile attributes that are available through the portal, etc (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes), but EmployeeId is not listed there.

Based on the documentation, I'm assuming EmployeeId is not available to custom policies, but I thought I would ask the question, anyway, to see if anyone has worked out a way to include the property as an output claim in the JWT auth token?

Dazfl
  • 627
  • 8
  • 23
  • 1
    You can try modifying the AAD read technical profile to include employeeId, though I'm not sure if the API endpoint they use outputs it. The other option which will almost certainly work would be to add a REST technical profile that uses an Azure Function/any other API that then queries for the employeeId through Graph API. – juunas Oct 27 '22 at 09:09
  • 1
    I think you need to try extension attributes, user profile attributes available to built-in flows. But when using custom policies, extension attribute can be an option. Please have a look at the link, https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-custom-policy – Alex Oct 28 '22 at 22:19

2 Answers2

2

• Yes, you can surely include the ‘employeeId’ attribute claim in the Azure AD B2C custom policy as below to be included as an output claim in the authentication token. For that purpose, you will have to define the employee Id as a claim with the proper ‘DisplayName, DataType, UserHelpText, UserInputType’ wherein you will have to modify the ‘TrustFrameworkExtensions.xml’ as below: -

VS Code B2C policy

Then, add the claim to the user interface in the local account signup technical profile as below since you want the ‘employeeId’ attribute to be included as a field in the output claim under ‘LocalAccountSignupwithLogonEmail’: -

Azure AD B2C claim transformation

Once done, then use the ‘PersistedClaims’ to write data to the user profile and ‘OutputClaims’ to read data from the user profile within the respective Active Directory technical profiles as above. Then, include a claim in the token in the ‘SignuporSignin.xml’ file and that output claim will be added in the token after a successful user journey and then modify the technical profile element within the relying party section to add the ‘employeeId’ as an output claim as below: -

B2C policy output claims

Once the above things are done, then you surely can upload the custom policy and test it through your web app for the ‘employeeID’ attribute.

For more information regarding this, kindly refer to the below links for more information: -

https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy

Custom policies Azure AD B2C issue with read the value Employee ID of user of Azure AD

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • Thanks for your response @Kartik. I'm not sure this going to work for me. The Employee ID is being set by an Admin in the Azure AD B2C portal. I want to extract that value when the user signs in and include it as a claim in the auth token. – Dazfl Oct 28 '22 at 02:15
0

To solve this, I ended up adding a REST API call, in the custom policy, that extracted EmployeeId via Graph API. Great suggestion by @juunas.

This works well, although it would be good if EmployeeId could be exposed as a claim without the REST call as I feel this adds a point of failure to the whole Sign Up/Sign In flow.

But it works.

Dazfl
  • 627
  • 8
  • 23