This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 35%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Hey guys, I am having a hard time trying to delete the signInNames.emailAddress attribute from a federated user using custom policies. I've already tried to remove it by using a technical profile to update the signInNames.emailAddress with a null claim, I've tried to use the DeleteClaims technical profile and the only method I could find to delete it was through the GraphAPI. However, I am not considering this as a solution since I want to delete it from my Custom Policy. Could anyone help, please?
Just to give it more context... Initially, this user is created through GraphAPI as a local user having the signInNames.emailAddress attribute filled. I have a custom policy responsible for merging this pre-registered local user to a federated one and in order to maintain this user as only federated, I would like to remove the signInNames.emailAddress to prevent this user to be able to login using an email and password.
Thanks in advance.
Hello @Alvaro Roberto
Thanks for your time and patience on this. Please be informed that I am researching on this and will get back to you with progress. Do let me know if you have anything to add on in comments section.
Thanks,
Akshay Kaushik
Hello @Alvaro Roberto ,
Hope you got a chance to review the answer posted below. Please do let me know if you have any further queries in the comments section. If not, then please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Hello @Alvaro Roberto ,
Ref example:
<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
<Metadata>
<Item Key="Operation">Write</Item>
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
<Item Key="AllowGenerationOfClaimsWithNullValues">true</Item> <!-- ***Allow to generate a claim with null value***. . -->
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true" />
</InputClaims>
<PersistedClaims>
<!-- Required claims -->
<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
<PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
<PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
<PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration" />
<PersistedClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />
<!-- Optional claims. -->
<PersistedClaim ClaimTypeReferenceId="givenName" />
<PersistedClaim ClaimTypeReferenceId="surname" />
</PersistedClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
Thanks,
Akshay Kaushik
Please "Accept the answer" ,"Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.
Hey @Akshay-MSFT ,
I've tested with the mentioned metadata but it didn't work. I've tried passing null and an empty default value for the signInNames.emailAddress to be persisted but neither worked. As I said in the question, with Microsoft GraphAPI I could list the user identities, filter them, and persist it without problems.
Are there any other steps I could do to accomplish this signInNames.emailAddress deletion for federated users? Are there any working examples with the same scenario as I have?
Thanks and sorry for the belated answer.
Alvaro.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 4%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Hey @Alvaro Roberto
I had the same issue and this one solved the problem. First of all I've tried to use DeleteClaims operation but it's not working in case of signInNames. You can delete identities from signInNames if you make an update without value. I know it's kinda silly solution but this is the only way how I was able to manage it.
Here is an example:
<!--Sample: Remove the signInNames.emailAddress to remove user identity -->
<TechnicalProfile Id="AAD-UserRemoveSignInNamesEmailAddress">
<Metadata>
<Item Key="Operation">Write</Item>
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="objectId" />
<PersistedClaim ClaimTypeReferenceId="userCurrentSignInUserName" PartnerClaimType="signInNames.userName" />
<!-- Any other local identity except signInNames.emailAddress-->
</PersistedClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<!--Sample: Reads local accoutn's userIdentities attribute to userIdentities claim-->
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<Metadata>
<Item Key="api-version">1.6</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userCurrentSignInUserName" PartnerClaimType="signInNames.userName" />
<OutputClaim ClaimTypeReferenceId="userCurrentSignInEmailAddress" PartnerClaimType="signInNames.emailAddress" />
<!-- Any other local identity -->
</OutputClaims>
<OutputClaimsTransformations>
<!-- Sample: Get the list of issuers user has registered -->
<OutputClaimsTransformation ReferenceId="ExtractIssuers" />
<!-- Sample: Get the list of issuers user has registered used to show the unlink technical profiles -->
<OutputClaimsTransformation ReferenceId="ExtractIssuersToUnlinkForLocalAccount" />
</OutputClaimsTransformations>
</TechnicalProfile>
<!--OrchestrationSteps -->
<!-- Read signInNames values then update all of them except the one that you want to remove -->
<OrchestrationStep Order="*" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="*+1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserRemoveSignInNamesEmailAddress" TechnicalProfileReferenceId="AAD-UserRemoveSignInNamesEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>