Share via

B2C Custom Policy Claims "emails" and "email"

Syed Palayathar 486 Reputation points
2021-03-24T10:20:20.913+00:00

Dear Team

I have created a B2C tenant to facilitate our customers accessing our Dynamics 365 portal. This works well if I use user flows for local users, google, facebook, etc.

However, unfortunately, I have to use custom policies for enabling Azure AD multi-tenant with B2C. I have created custom policies for both Azure AD and google tenant following guides provided here.

The flow is working good i.e. if I click run endpoint now link of the custom flow on an existing browser session [logged in with Azure AD credential or google credential], user journeys are working as they should. I can register an account with B2C, change password etc.

However, the claims in the token [issued by B2C] does not map to the attribute that Dynamics 365 expects to match the B2C user to contacts in portal app[Dynamics 365].

In order to test if this is something to do with claims in the token, I have created a user flow for Google iDP and a local account [B2C]. This user flow is working fantastic i.e. mapping B2C email to contacts in the portal app [Dynamics 365]. So I thought this could be an issue with claims in the token.

I have published tokens from the google Idp [userflow and custom policy], here for your reference. The only difference between this token that may correspond to the user mapping [in my opinion] is between claims "emails" [userflow] and "email"[custom policy] apart from "tfp" and "acr"

Could you tell me how to change email claim in user policy to emails?
Also, In order to make custom policies work with Dynamcis 365 portal apps, do I have to change from "acr" to "tfp"

81050-googletokenuserflow.png81151-googletokencustom.png

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Accepted answer
  1. Syed Palayathar 486 Reputation points
    2021-03-25T17:22:48.877+00:00

    I figured it out. Though it didn't resolve my original issue, I managed to add "emails" collection token to the custom policy

    To add "emails" collection claim to a token, I did the following to the custom policy

    Added this to Claim Providers --> Technical Profiles -->Output Claims [on TrustFrameworkExtenstion.xml]

    <OutputClaim ClaimTypeReferenceId="othermails" />

    and then in SignUporSignin Policy, added below

    <OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />

    Regards

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Guy Elsmore-Paddock 6 Reputation points
    2021-07-21T14:11:28.913+00:00

    Depending upon what TrustFrameworkBase.xml file you started from (since they vary by sample), and depending upon whether you just want the email that the user is using to log-in vs. all their email addresses, another option can be to add the following to the RelyingParty section of the user journey:

    <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>

    What claims are available to you reference depends on what OutputClaims are defined in the AAD-UserReadUsingEmailAddress technical profile of TrustFrameworkBase.xml.

    1 person found this answer helpful.
    0 comments
  2. Alok Aswal 1 Reputation point
    2022-12-16T21:02:34.02+00:00

    This doesn't work, can any one explain full steps with custom policy.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.