UPN different between Graph API and Azure Portal

Benoit Hoffman 51 Reputation points

I am using an AD B2C with applications that can receive connections from both a trusted AD or local accounts.

The UPN I see in the Azure Portal (from both local and external accounts) are classical email addresses, and the UPN I recieve from graph API looks something like 085eeb3d-9f34-4a5e-b801-0248e72a4587@B2CTenantName.onmicrosoft.com. I am aware the reason is that B2C needs such an identifier to make sure they are uniques even if someone has 2 accounts with the same UPN in both the local AD B2C and the trusted AD.

My question is, how to retrieve the UPN that is actually displayed in the azure portal ? I Don't care if I can get duplicates in my business, but I truly need to get that human readable UPN since its the only claim I can trust.

If that helps, I am using the graph client in .net 5

Azure Active Directory External Identities
Microsoft Graph Users API
Microsoft Graph Users API
A Microsoft API that allows you to build compelling app experiences based on users, their relationships with other users and groups, and the resources they access for example their mails, calendars, files, administrative roles, group memberships.
726 questions
Microsoft Graph Identity API
Microsoft Graph Identity API
A Microsoft API to access Azure Active Directory (Azure AD) resources to enable scenarios like managing administrator (directory) roles, inviting external users to an organization, and, if you are a Cloud Solution Provider (CSP), managing your customer's data.
285 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,541 Reputation points

    Hi @Benoit Hoffman • Unfortunately, the Username is not stored in the B2C directory by default for the users who signup using federated IDP. Refer to the screenshot below for the user I signup via federated IDP, notice the empty user principal name:


    In this case, if you want to store the UPN of the users, you may consider creating a custom attribute like "extension_upn" and configure your signup policy to auto populate the value of this attribute by using preferred_username claim in the token during claims exchange with federated IDP at signup by adding below output claim in the technical profile of the federated IDP.

       <OutputClaim ClaimTypeReferenceId="extension_upn" PartnerClaimType="preferred_username" />  

    Note: preferred_username is the claim name used by Azure AD for UPN. Other IDPs may use different name.

    Refer to Add user attributes and customize user input in Azure Active Directory B2C for more details and don't forget to read the important note.

    See this in action:
    Go to https://b2c.cloud365.in, click on Azure AD button and sign-in with your Azure AD user account. Notice your UPN will be pre-populated in the extension_upn field.

    For users who have already signed-up, this needs to be updated by using profile editing flow.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Kunal Gautam 0 Reputation points

    Hello @AmanpreetSingh-MSFT

    I have value in user principal name but not able to get it with parameter userPrincipalName
    Screenshot 2023-05-25 at 5.38.23 PM

    but getting this cpim_xxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxx.onmicrosoft.com

    can you please assist which parameter is for this? I haven't create custom parameter for this.

    0 comments No comments

  2. Giel Oomen 16 Reputation points

    I found this super confusing as well. Been filtering for quite some time on UNP but constantly getting no results while the HTTP response was 200. Kept checking back in the portal to make sure the e-mail used in my query was right.

    And indeed, it now appears to be the case that when I do a filter on just the name the API returns a completely different UNP compared to what it shows in the portal...

    But fine, the issue is now clear. However, I still want to be able to query based on e-mail address to get users. I only allow e-mail sign up without custom policy so duplicates are impossible, and even if there were dupes it wouldn't matter. My goal is to query based on an e-mail address to find a person and then get their token to use in other operations, how should this be achieved?

    The endpoint below does not work either.

    $filter=identities/any(i:i/issuerAssignedId eq '{email}' and i/signInType eq 'emailAddress')
    0 comments No comments