'Looking up users in AAD B2C using extension attributes or unusual standard attributes

This is a follow-up to this question. I need to query AAD B2C to lookup a user using an employeeID which, for reasons related to what fields our account provisioning solution can deal with, is currently stored in the telephoneNumber field.

I have created an Azure Active Directory TechnicalProfile which specifies the telephone number as the InputClaim:

 <TechnicalProfile Id="AAD-UserReadUsingEmployeeId">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided ID.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="telephoneNumber" PartnerClaimType="employeeId" Required="true" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="otherMails" />
        <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
        <OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="telephoneNumber" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

However, when compiling this policy I get the error:

"Input Claim 'telephoneNumber' is not supported in Azure Active Directory Provider technical profile 'AAD-UserReadUsingEmployeeId'"

I understand from the documentation here that telephoneNumber can only be used as persistentClaim or OutputClaim... so I suppose I may be hitting that limitation. I thought I could wiggle out of this by querying AAD B2C using an extension attribute instead, but there I get confused:

  • The answers to the question I linked to earlier state that you can't query AAD B2C through some random attribute, because the attribute needs to be unique
  • The FIDO2 sample policy here does use an extension attribute to query AAD B2C and lookup a user, so it would appear to be possible in some conditions.

So, would I be correct in understanding that

  • You can use any extension attribute to lookup a user in AAD B2C, and it's on you to ensure that the attribute values are unique
  • You can't use most of the standard attributes (such as telephoneNumber) to look up users

Or is there something obvious I'm overlooking in the way I've configured the TechnicalProfile ?

Thanks!

azure-ad-b2cazure-ad-b2c-custom-policyaad-b2c


Solution 1:[1]

These are correct:

  • You can use any extension attribute to lookup a user in AAD B2C, and it's on you to ensure that the attribute values are unique
  • You can't use most of the standard attributes (such as telephoneNumber) to look up users

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 AlfredoRevilla-MSFT

Related Questions

Pass parameters to Sign-up policy

Pass parameters to Sign-up policy

Azure AD B2C with React Native Expo

Is it possible to automatically update B2C user details by using claims from the Issuer, using Identity Experience Framework?

Can I use SVG within a customized the Azure AD B2C user interface?

Azure B2C password field text and placeholder

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

Single Sign Out Not working between OpenID & SAML (Azure AD B2C)

Argo Workflow SSO not working with Azure Active Directory B2C

How to query another Azure Active Directory tenant from Graph Explorer

Azure AD B2C Single Sign Out not signing out all applications when using multiple protocols

404 Not Found error via resource owner password credentials flow in Azure AD B2C

Azure B2C - REST API call Error "Message: The claims exchange <Id> specified in step <order> returned HTTP error response that could not be parsed"

Xamarin.Forms MSAL authentication java.exe exited with code 1

B2C Custom Policy with TP OpenId Connect - IdTokenAudience - MultiApple scenario