![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 77%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
3,283 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Hi Patrick,
With Microsoft Entra External ID, the behavior of claims differs slightly from Azure AD B2C. By default, Entra External ID uses OpenID Connect (OIDC) or SAML for authentication and authorization, and the returned claims are based on how you've configured your user flows or custom policies. If you're using the default user flow and want to include the email claim in the token, you can follow these steps:I
- nclude Email Claim in the Token. In Entra External ID, the email claim isn't included by default in tokens unless configured. To include it:
- Configure the Default User Flow or Custom Policy:
Go to the Azure portal. Navigate to Microsoft Entra ID > External Identities > User flows. Edit the user flow you're using (e.g., SignUpSignIn). Under the Claims section, ensure Email Address is checked. Save the changes.
- Test the User Flow:
Run the user flow to verify that the email claim is included in the issued token.
- Retrieve Email from SignInNames
For Entra External ID, the email address of a user is stored in the signInNames attribute. To return this attribute as a claim, you'll need to map it explicitly:
Edit Claim Transformation:
If using custom policies, you'll need to modify the XML file to include a claim mapping for signInNames.emailAddress.
Example (XML snippet):
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
Save the custom policy and upload it to your tenant.
- Verify Claims in Token
Use a tool like jwt.ms to inspect the token issued after signing in. Look for the email claim in the payload.
Workarounds if Email is Missing
If the email still doesn’t appear in the token:
- Use Graph API to Fetch User Details: After sign-in, you can call the Microsoft Graph API to fetch the user's profile, including their mail or userPrincipalName attribute.
Example API call:
GET https://graph.microsoft.com/v1.0/me
Authorization: Bearer {access_token}
Ensure the token has the correct User.Read permission.
- Custom API Backend: If you control the backend that processes the token, you can enrich it by retrieving user details (email) and adding them as custom claims for downstream processing.
Summary
-For default user flows: Ensure Email Address is selected in the Claims section. -For custom policies: Map signInNames.emailAddress to an email claim. -As a fallback: Use Microsoft Graph API to retrieve email post-authentication.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 27%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)