Searching for user attributes using Azure AD B2C custom policies

This is a question that comes up a lot on stackoverflow.

“Can I search for attribute x that’s in Azure B2C using custom policies”?

The answer is “No”. To do this, you have to use the Graph API.

The reason is that the searches that you see in B2C e.g.

“AAD-UserReadUsingEmailAddress”

all search using identities as you can see in the input claim:

<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true"/>

Identities in B2C look like this:

"identities": [
{
"signInType": "userName",
"issuer": "contoso.onmicrosoft.com",
"issuerAssignedId": "johnsmith"
},
{
"signInType": "emailAddress",
"issuer": "contoso.onmicrosoft.com",
"issuerAssignedId": "jsmith@yahoo.com"
},
{
"signInType": "federated",
"issuer": "facebook.com",
"issuerAssignedId": "5eecb0cd"
}
]

So in this example, you could do a “UserReadUsingEmailAddress” or a “UserReadUsingUsername”.

Federated (social) accounts are slightly different. For those, you need to use “UserReadUsingAlternativeSecurityId”.

There is, however, nothing stopping you from inventing your own identities e.g. in this sample, you can see:

"identities": [
{
"signInType": "oidToLink",
"issuer": "contoso.onmicrosoft.com",
"issuerAssignedId": "90847c2a-e29d-4d2f-9f54-c5b4d3f26471"
}
]

The sample is around linking a federated login against a pre-created local account. Here, “oidtolink” is a primary key that links the two together so you can then use “AAD-FindB2CUserWithAADOid”.

A useful tip here (thanks to Jas) is that when you want to look up a user by any signInName present on the account, just search for “signInNames” as your inputclaim to the AAD Read technical profile.

So this signInNames collection:

"identities": [
{
"signInType": "userName",
"issuer": "fabrikam.onmicrosoft.com",
"issuerAssignedId": "joeb"
},
{
"signInType": "accountNumber",
"issuer": "fabrikam.onmicrosoft.com",
"issuerAssignedId": "11002299"
},
]

And:

<InputClaim ClaimTypeReferenceId=”someId” PartnerClaimType=”signInNames” Required=”true” />

will resolve either of these signInNames on the account.

e.g. this sample that allows username or email to signin has “”AAD-UserReadUsingIdentifier” with:

<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames" Required="true" />

To get back to the original question, you could search by creating e.g. a surname identity as well as surname as an attribute but that’s probably an overkill.

All good!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rory Braybrook

Rory Braybrook

514 Followers

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5