This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 24%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
When using a User Flow in Azure AD B2C, the token includes a claim called 'emails' that's an array. We have an application that expects 'email' (singular) instead. To handle that, I created an IEF custom policy using the starter pack from GitHub. I added the following line to the <OutputClaims> section of the SignUpOrSignin.xml file:
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
That provided a claim called 'email' as a string, which is perfect. However, they also want the 'emails' claim in the token as well, to avoid changing any of their application code. How can I also add the 'emails' array to the token, like the old User Flow did?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi @MJL,
Based on your query, here is my understanding: you would like to have 'email' and 'emails' as output claim for the application.
In order to achieve your end goal, you need to ensure you have provided othermails to the user using claims transformation. You must create the otherMails claim from the email claim using the CreateOtherMailsFromEmail claims transformation and then persist the otherMails claim in the AAD-UserWriteUsingLogonEmail technical profile.
Technical profile for CreateOtherMailsFromEmail: StringCollection claims transformations
<ClaimsTransformation Id="CreateOtherMailsFromEmail" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
Now you need to update this othermails as emails claim in all technical profile for interacting with a claim's provider as follows:
Here is the information on configuration of output claims in technical profiles: Microsoft Entra technical profile operations.
You can also use the following stack overflow thread as reference: Emails in claims as they have worked on the same end goal.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".
Hi @MJL,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hi Kancharla,
Thank you for the information and links. I reviewed them and was able to modify three starter pack files to get the claims I need.
I updated the TrustFrameworkExtensions.xml to get both the email and otherMails attributes. I then updated the SignUpOrSignin.xml and ProfileEdit.xml files to emit those claims, performing a claims transformation on otherMails to emails.
Below are sanitized versions of the TrustFrameworkExtensions.xml and SignUpOrSignin.xml files:
TrustFrameworkExtensions.xml
<?xml version="1.0" encoding="utf-8" ?>
<TrustFrameworkPolicy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
PolicySchemaVersion="0.3.0.0"
TenantId="YOUR-TENANT-NAME.onmicrosoft.com"
PolicyId="B2C_1A_TrustFrameworkExtensions"
PublicPolicyUri="http://YOUR-TENANT-NAME.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions">
<BasePolicy>
<TenantId>YOUR-TENANT-NAME.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="otherMails">
<DisplayName>Alternate Email Addresses</DisplayName>
<DataType>stringCollection</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="emails" />
</DefaultPartnerClaimTypes>
<UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>
</ClaimType>
</ClaimsSchema>
<ClaimsTransformations>
<ClaimsTransformation Id="CreateOtherMailsFromEmail" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Local Account SignIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<Metadata>
<Item Key="client_id">11111111-2222-3333-4444-555555555555</Item>
<Item Key="IdTokenAudience">aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="11111111-2222-3333-4444-555555555555" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateOtherMailsFromEmail" />
</OutputClaimsTransformations>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<!-- UserJourneys>
</UserJourneys -->
</TrustFrameworkPolicy>
SignUpOrSignin.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
PolicySchemaVersion="0.3.0.0"
TenantId="YOUR-TENANT-NAME.onmicrosoft.com"
PolicyId="B2C_1A_SignUp_SignIn"
PublicPolicyUri="http://YOUR-TENANT-NAME.onmicrosoft.com/B2C_1A_SignUp_SignIn">
<BasePolicy>
<TenantId>YOUR-TENANT-NAME.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<Endpoints>
<!--points to refresh token journey when app makes refresh token request-->
<Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" />
</Endpoints>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails"/>
<OutputClaim ClaimTypeReferenceId="objectID" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
Thanks for your help!
When testing the Profile Edit flow, only the First Name and Last Name fields are displayed on the page. However, I also need users to be able to edit their Display Name, Job Title, Street Address, City, State, Postal Code, and Country fields.
From what I understand, User Flows created in the Azure portal automatically render these fields if they are enabled. But when using a custom policy, only First Name and Last Name appear by default.
I believe this means I need to create a custom HTML/CSS page to render the additional fields. My questions are:
How do I configure my ProfileEdit.xml (or TrustFrameworkExtensions.xml) to bind all of those additional <InputClaim> and <OutputClaim> IDs so the new fields are populated and editable?
Do I need to modify the SelfAsserted-LocalAccountProfileUpdate technical profile, or should I point it to a new ContentDefinition and page layout?
Are there any examples of a custom Self-Asserted Profile Edit page that supports these additional standard fields?
I've tried several versions of a ProfileEdit.xml page and can't upload any of them due to various errors, so thanks for any help!
Hi @MJL,
Based on your query, I would recommend you use api.selfasserted.profileupdate for your profileedit policy. Here is the sample available for your localization:
<LocalizedResources Id="api.selfasserted.profileupdate.en">
<LocalizedStrings>
<LocalizedString ElementType="ClaimType" ElementId="displayName" StringId="DisplayName">Display Name</LocalizedString>
<LocalizedString ElementType="ClaimType" ElementId="displayName" StringId="UserHelpText">Your display name.</LocalizedString>
<LocalizedString ElementType="ClaimType" ElementId="surname" StringId="DisplayName">Surname</LocalizedString>
<LocalizedString ElementType="ClaimType" ElementId="surname" StringId="UserHelpText">Your surname (also known as family name or last name).</LocalizedString>
<LocalizedString ElementType="ClaimType" ElementId="givenName" StringId="DisplayName">Given Name</LocalizedString>
<LocalizedString ElementType="ClaimType" ElementId="givenName" StringId="UserHelpText">Your given name (also known as first name).</LocalizedString>
<LocalizedString ElementType="UxElement" StringId="button_continue">Continue</LocalizedString>
<LocalizedString ElementType="UxElement" StringId="button_cancel">Cancel</LocalizedString>
</LocalizedStrings>
</LocalizedResources>
Here is the GitHub you can use as reference: Starter PackI hope this information is helpful. Please feel free to reach out if you have any further questions.