Default user flow is picking up Pre-Created B2C users but Custom Policy is not

Question

Default user flow is picking up Pre-Created B2C users but Custom Policy is not

Hamza Khalid 20

I have a B2C tenant, where I have both, custom Policies and Default User-flows. I have both, local and federated user login setup for both of them.
Now I pre-create the federated users into the B2C, via MS GraphAPI, I give a payload which looks like this

{ 
    "accountEnabled": true,
    "displayName": "{{name}}",
    "givenName": "{{givenName}}",
    "surname": "{{surname}}",
    "mail": "{{email}}",
    "mailNickname": "{{mailNickname}}",
    "userPrincipalName": "{{uuid}}@{{tenantEmail}}",
    "identities": [
      {
        "signInType": "federated",
        "issuer": "{{issuer}}",
        "issuerAssignedId": "{{issuerAssignedId}}"
      }
    ]
}

The default user-flows easily pick this user up when run it. It authenticates them just fine and returns me the claims which include details of that user which I had created in B2C

But for some reason, my Custom Policy doesn't automatically pick the user up when i'm trying to authenticate it. Instead, it gives me this error:

AADB2C99002: This user does not exist and profile 'AAD-UserReadUsingAlternativeSecurityId-NoError' requires the user to have already been created. Correlation ID: ae62678a-3459-47d1-ae3d-ef65cbd7e18e Timestamp: 2025-02-13 14:21:04Z

Note that I've set:

<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>

I have verified that the issuer and issuerAssignedId are being passed correctly. Are custom policies supposed to pick such pre-created B2C users up automatically? Or does it need to have the alternative security id? Because my customer policy finds the user in this manner:

        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="6" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-14T21:50:18.5+00:00

Hi @Hamza Khalid
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hamza Khalid 20 Reputation points

2025-02-17T12:16:25.61+00:00

Hey @Akhilesh Vallamkonda , thanks for the response. Sorry for the delayed reply because of some internal testing and day off.
Just so we're clear on the problem statement here: Currently I am making B2C users using GraphAPI, in which signInType is federated. Those accounts then, I expect, must be used for the users to sign in using default user-flows and custom policies.

What happening is, say I make a user with certain credentials in B2C using GraphAPI, Default User flows return me the exact user with those credentials stored in B2C

Whereas, Custom Policy (only when <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>), returns me a kind of a "shadow response" or token, of a user, and it doesn't even make that user in the B2C directory. It does not pick up the federated user that I make in B2C. I believe its picking up the credentials from the Identity Provider instead, whereas I want the credentials I stored in my B2C, since users will be updated there, and I'd want the user info present in the B2C directory

Does using A B2C IEF Custom Policy which links a Federated login against a pre-created Local Account solve this issue exactly?
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-17T20:48:17.6233333+00:00

Hi @Hamza Khalid
The document A B2C IEF Custom Policy which links a Federated login against a pre-created Local Account is a samples repository shows how to link a local account with a federated account. This is useful when a user has both a local account and a federated account and wants to link them together. which might suites in your scenario.

Akhilesh Vallamkonda 15,320 Microsoft External Staff Moderator

Hi @Hamza Khalid
Can you please try below

<!-- For social IDP authentication, attempt to find the user account in the directory. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserReadUsingObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>

AAD-UserReadUsingObjectId - Read a user profile of a local or social account.

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-19T22:34:32.1866667+00:00

Hi @Hamza Khalid
Following up to see if the answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-20T21:54:31.0133333+00:00

Hi @Hamza Khalid
Following up to see if the answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Hamza Khalid 20

@Akhilesh Vallamkonda

thanks for your reply and sorry for the delay in the response. I have tried this but it gives me this error:

AADB2C99002: This user does not exist and profile 'AAD-UserReadUsingObjectId' requires the user to have already been created. Correlation ID: 54e588fb-488e-48c3-b1c8-8e1c4b850db5 Timestamp: 2025-03-17 07:08:27Z

Here's the rest of my orchestration steps for reference:

<!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). 
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2, then an user account must exist in the directory by this time. -->
        <OrchestrationStep Order="7" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent 
          in the token. -->
        <OrchestrationStep Order="8" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect 
             from the user. So, in that case, create the user in the directory if one does not already exist 
             (verified using objectId which would be set from the last step if account was created in the directory. -->
        <OrchestrationStep Order="9" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="10" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>

Hamza Khalid 20 Reputation points

2025-03-18T17:51:13.94+00:00

@Akhilesh Vallamkonda following up on this, any updates? :)

1 answer

Your answer

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-14T21:50:18.5+00:00

Hi @Hamza Khalid
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hamza Khalid 20 Reputation points

2025-02-17T12:16:25.61+00:00

Hey @Akhilesh Vallamkonda , thanks for the response. Sorry for the delayed reply because of some internal testing and day off.
Just so we're clear on the problem statement here: Currently I am making B2C users using GraphAPI, in which signInType is federated. Those accounts then, I expect, must be used for the users to sign in using default user-flows and custom policies.

What happening is, say I make a user with certain credentials in B2C using GraphAPI, Default User flows return me the exact user with those credentials stored in B2C

Whereas, Custom Policy (only when <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>), returns me a kind of a "shadow response" or token, of a user, and it doesn't even make that user in the B2C directory. It does not pick up the federated user that I make in B2C. I believe its picking up the credentials from the Identity Provider instead, whereas I want the credentials I stored in my B2C, since users will be updated there, and I'd want the user info present in the B2C directory

Does using A B2C IEF Custom Policy which links a Federated login against a pre-created Local Account solve this issue exactly?
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-17T20:48:17.6233333+00:00

Hi @Hamza Khalid
The document A B2C IEF Custom Policy which links a Federated login against a pre-created Local Account is a samples repository shows how to link a local account with a federated account. This is useful when a user has both a local account and a federated account and wants to link them together. which might suites in your scenario.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-18T18:49:50.87+00:00

Hi @Hamza Khalid
Can you please try below

 <OrchestrationStep Order="6" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> <Value>authenticationSource</Value> <Value>localAccountAuthentication</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="AAD-UserReadUsingObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /> </ClaimsExchanges>

AAD-UserReadUsingObjectId - Read a user profile of a local or social account.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-19T22:34:32.1866667+00:00

Hi @Hamza Khalid
Following up to see if the answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-02-20T21:54:31.0133333+00:00

Hi @Hamza Khalid
Following up to see if the answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hamza Khalid 20 Reputation points

2025-03-18T17:51:13.94+00:00

@Akhilesh Vallamkonda following up on this, any updates? :)

Answer 1

Hi @Hamza Khalid
Thank you for reaching Microsoft Q&A Forum!
Based on your requirement, I understand that the issue has occured due to claims exchange where you have choosen AAD-UserReadUsingAlternativeSecurityId which actually look up for a social directory. Whereas AAD-UserReadUsingObjectId picks both local or social account which helps in your scenario to pick the pre created Azure AD B2C users.

Please try the below technical profile in your custom policy and if you are able to pick pre-created B2C users up automatically.

<!-- For social IDP authentication, attempt to find the user account in the directory. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserReadUsingObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>

You can refer below document for more details on AAD-Common technical profile: Microsoft Entra technical profile in an Azure Active Directory B2C custom policy

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Hamza Khalid 20 Reputation points

2025-03-17T09:56:33.5166667+00:00

@Akhilesh Vallamkonda since i'm creating federated user, not a local one, as the user looks like this when i fetch it:

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,mail,userPrincipalName,identities)/$entity", "id": //id hidden, "displayName": "Federated Gloratio User 2", "mail": "******@GloratioSIT.onmicrosoft.com", "userPrincipalName": "******@breexternaldevelopment.onmicrosoft.com", "identities": [ { "signInType": "federated", "issuer": "https://login.microsoftonline.com/fbda2dfd-9ef8-4022-a27b-8f68fa7f8fb5/v2.0", "issuerAssignedId": //issuer assigned id hidden }, { "signInType": "userPrincipalName", "issuer": "breexternaldevelopment.onmicrosoft.com", "issuerAssignedId": //issuer assigned id hidden } ] }

then why would we be using "AAD-UserReadUsingObjectId" instead, when for federated users, its supposed to check through alternativeSecurityId?

Share via

Default user flow is picking up Pre-Created B2C users but Custom Policy is not

1 answer

Your answer