3,286 questions
Entra External ID (CIAM) - External Idp via OpenID Connect that don't provide email claim
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 11%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Andreas Crona
10
Reputation points
Hello.
I was wondering why Entra External ID CIAM doesn't collect the email from the sign-up step as it does with for example custom claims that I add manually. Email is a required field in Entra External ID CIAM but all providers that support OpenID Connect does not supply email as a claim. For example Swedish BankID. But the Open ID protocol is still valid from them in general terms with sub, issuer etc.
This in my opinion makes Entra External ID CIAM OpenID Connect option weak. Or am I doing someting seriously wrong? Entra should be smart enough to map this Idp with sub and issuer and collect the email in the sign-up form.
Prepopulate the user before sign-in with the Identity - federated and issuer + issuer assigned id is not a work around it seems because I still get the email missing in claims error when logging in after that with the federated method.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 82%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVD%3C/text%3E%3C/svg%3E)
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator2025-04-07T21:50:26.97+00:00 Hello Andreas Crona
Greetings!
I would like to check this up offline with you to understand the scenario better. Please share your contact details over private message and your availability for a call.
Thank you
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-04-10T12:04:31.4766667+00:00 Hello Andreas Crona
With Microsoft Entra External ID, the behavior of claims differs slightly from Azure AD B2C. By default, Entra External ID uses OpenID Connect (OIDC) or SAML for authentication and authorization, and the returned claims are based on how you've configured your user flows or custom policies. If you're using the default user flow and want to include the email claim in the token, you can follow these
Steps: IInclude Email Claim in the Token. In Entra External ID, the email claim isn't included by default in tokens unless configured. To include it:
Configure the Default User Flow or Custom Policy:
Go to the Azure portal. Navigate to Microsoft Entra ID > External Identities > User flows. Edit the user flow you're using (e.g., SignUpSignIn). Under the Claims section, ensure Email Address is checked. Save the changes.
Test the User Flow:
Run the user flow to verify that the email claim is included in the issued token.
Retrieve Email from SignInNames
For Entra External ID, the email address of a user is stored in the signInNames attribute. To return this attribute as a claim, you'll need to map it explicitly:
Edit Claim Transformation:
If using custom policies, you'll need to modify the XML file to include a claim mapping for signInNames.emailAddress.
Example (XML snippet):
HaskellCopy
<Save the custom policy and upload it to your tenant.
- Verify Claims in Token
Use a tool like jwt.ms to inspect the token issued after signing in. Look for the email claim in the payload.
Workarounds if Email is Missing
If the email still doesn’t appear in the token:
- Use Graph API to Fetch User Details: After sign-in, you can call the Microsoft Graph API to fetch the user's profile, including their mail or userPrincipalName attribute.
Example API call:
YAMLCopy
GETAuthorization: Bearer {access_token}
Ensure the token has the correct User.Read permission.
- Custom API Backend: If you control the backend that processes the token, you can enrich it by retrieving user details (email) and adding them as custom claims for downstream processing.
Summary
-For default user flows: Ensure Email Address is selected in the Claims section. -For custom policies: Map signInNames.emailAddress to an email claim. -As a fallback: Use Microsoft Graph API to retrieve email post-authentication.
Reference-oidc-claims-mapping-customers
How-to-custom-oidc-federation-customers
Openid-connect-external-identity-provider-support-public-preview -
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator
2025-04-11T16:51:22.4866667+00:00 Hello Andreas Crona
Good day!
I wanted to follow up to see if you’ve had a chance to review the comment provided by Sakshi Devkante.
I hope this information helps to you and let me know if you have any further questions, we will be happy to help you.
-
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator
2025-04-11T19:05:47.62+00:00 Hello Andreas Crona
Good day!
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 11%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
sachindave 35 Reputation points2025-04-16T07:46:43.5233333+00:00 Hi, @Vigneshwar Durva, I think you are missing the important point here. Email claims is required for the claims mapping when you are trying to add custom OIDC provider in Microsoft Entra External ID tenant. Why this is a required as some IDPs do not provide email claim as mentioned by Andreas. Can we write some script to generate custom email such as ******@externaldomainname.ciamlogin.com?
Sign in to comment
Sign in to answer