This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 33%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
In Azure AD B2C I want to add an custom attribute called companyName for each user account and I'm using custom policies.
I referred following documentations:
Then added the user attribute in my AAD B2C instance via the portal:
Then defined a claim in TrustFrameworkExtensions.xml as below:
<ClaimType Id="extension_companyName">
<DisplayName>Company</DisplayName>
<DataType>string</DataType>
<UserHelpText>Please provide the name of your company</UserHelpText>
<UserInputType>TextBox</UserInputType>
</ClaimType>
Then in the same extension file added following claim providers. (Please note that actual ClientId and ApplicationObjectId are removed here)
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-Common">
<Metadata>
<!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->
<Item Key="ClientId">11111111-1111-1111-1111-111111111111</Item>
<!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222-->
<Item Key="ApplicationObjectId">22222222-2222-2222-2222-222222222222</Item>
</Metadata>
</TechnicalProfile>
<!-- Write data during a federated account first-time sign-in flow. -->
<TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="extension_companyName" DefaultValue="unknown" />
</PersistedClaims>
</TechnicalProfile>
<!-- Write data during edit profile flow. -->
<TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="extension_companyName" DefaultValue="unknown"/>
</PersistedClaims>
</TechnicalProfile>
<!-- Read data after user authenticates with a federated account. -->
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_companyName" DefaultValue="unknown"/>
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Self Asserted</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-Social">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_companyName"/>
</OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="SelfAsserted-ProfileUpdate">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_companyName"/>
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
Then RelyingParty is as follow:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="extension_companyName" DefaultValue="unknown-from-RP" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
For the time being I'm using Google to authenticate users. When user is login for the first time(sign up), id_token contains the extension_companyName attribute and it contains the value provided by the user.
But when that use login for the next time, value of the extension_companyName attribute is unknown-from-RP. Which is the value I have mentioned as the DefaultValue in RelyingParty. But ideally it should be the value provided by the user during the signup. Could you help me to get this work? :)
Hi @Anonymous · Thank you for reaching out.
You need to first extend Azure AD schema of the B2C tenant with extension_companyName attribute using b2c-extensions-app. The document you are referring to, is with example of City attribute, which is by default present in Azure AD Schema.
Please follow below steps to extend the Azure AD Schema of your B2C tenant with companyName attribute:
Optionally, to verify if the attribute is created in the directory and a value can be populated in the attribute, follow below steps. These steps are not needed in your case as the attribute value will be populated
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information provided helped you. This will help us and others in the community as well.
hi @AmanpreetSingh-MSFT thank you very much for your prompt response.
I will check this and get back.
I think this: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-custom-policy documentation explains about those extension attrbiutes. and under the Create a custom attribute it has mentioned attribute creations via portal. But this documentation missing these Graph Explorer specific steps.
That is bit confusing. :)
Maybe after I verify this, I'll create a PR for the documentation with those steps.
Cheers!!
hi @AmanpreetSingh-MSFT I tried this and I get an HTTP 404 error with following message (I just masked the ObjectId here):
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not exist or one of its queried reference-property objects are not present.",
what I might be doing wrong here?
Cheers!
@Anonymous · Please make sure that:
@Anonymous · Have you had a chance to test it out?
hi @AmanpreetSingh-MSFT sorry I was working on something else and I started to work on this again. I was able to create the custom attribute as you have mentioned. but the my original question remains the same. that value is not getting added to id_token. When user sign up for the first time, then the value user provided is there in the id_token.
But when user sign out and sign in again, the value given by user is not in the id_token. Instead value is unknown-from-RP which is the default value set in OutputClaim in above RelyingParty file.
When I query the user via Graph API the value given by the user (during the sign up) is there. So I don't think there is a persistence issue.
Anything that I'm doing wrong here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 25%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
I tried to use follow this article and I get the below error.
I granted permissions as described in the article above. What other rights needed?
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2023-09-18T21:11:37",
"request-id": "3a7a4a94-e332-4806-8018-aea592d567c1",
"client-request-id": "c653e2c9-c99c-a864-d755-7a514c5e4aaf"
}
}
}
I am answering my own question. It turns out to be, default login is going to main tenant and I need to login with a user id that is part of B2C tenant only. With that, I am able to successfully complete. Thanks
I was able to fix this by adding following TechnicalProfile.
<TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_companyName" DefaultValue="unknown-AAD-UserReadUsingAlternativeSecurityId" />
</OutputClaims>
</TechnicalProfile>