No longer obtaining email claim

[mada360]

Previously I had implemented these custom policies to allow for multi-tenant sign on and I was able to obtain the email address for the user but since the move to using the b2clogin domain I am now unable to obtain the email address in the token returned and there is no record of the email address against the user when looking at the user dashboard within the Azure AD B2C blade.

Another difference is that the username for a multi-tenant user used to reflect the sts.windows.net/ as the username, I feel this has now been moved to the source associated with the user, but I'm wondering if this is related to the same issue as above.

With the move to the b2clogin domain, is it now expected that a seperate call be made to microsoft graph to obtain the extra details for the user? If so, is it possible to map the email of a user to be returned as a claim within the token.

Within my trial and error, I have also allowed for full permissions for the Azure AD B2C App to ensure that the email claim had not become more protected as I undestand that the B2C environment is constantly changing .

Thanks for any help with this issue.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 171f21f0-1c8c-42f9-dbb8-2da1ebc70892
• Version Independent ID: fe1d0a08-231e-5094-2406-1b548cb1174e
• Content: Set up sign-in for a multi-tenant Azure AD identity provider using custom policies in Azure Active Directory B2C
• Content Source: articles/active-directory-b2c/active-directory-b2c-setup-commonaad-custom.md
• Service: active-directory
• GitHub Login: @davidmu1
• Microsoft Alias: davidmu

[MarileeTurscak-MSFT]

@mada360
Thanks for your feedback! We will investigate and update as appropriate.

[MarileeTurscak-MSFT]

Hi @mada360 ,
I hate to direct you elsewhere but for these types of troubleshooting issues it is better to post in the Azure Active Directory forum. Can you please post this same thread and document link here and we can better assist? https://social.msdn.microsoft.com/Forums/en-US/home?forum=WindowsAzureAD

[MarileeTurscak-MSFT]

Closing this out for now but I'll be happy to keep track of this issue in the comments and ensure that your question gets resolved.

[sirfarmalot]

@mada360 were you able to resolve this?

[ntdung]

I've just resolved this problem by adding OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" to OutputClaims of the ClaimProvider instead of OutputClaim ClaimTypeReferenceId="email" .
And adding OutputClaim ClaimTypeReferenceId="email" to OutputClaims of SignUpSignIn policy.

[lexios]

Having the same issue. No email claim in token on multi tenant. I have also raised a case with Azure support. It's definitely a bug or problem.

[CodyMorris]

Is there a resolution for this

[iliassk]

I've wasted days on this. Why is it so difficult to get the email in our id_token claims is beyond me !
I've managed to collect it on signup, but it's never returned on signin. Can someone please help?

This is my PolicyProfile :

    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>

Thank you!

[CodyMorris]

@iliassk I'm not on the microsoft team but I can try to help. When you inspect the token on jwt.ms do you see the claims there after signin?

My first thought is that you need to also include email as a PersistedClaim

If you're seeing it in the token on jwt.ms but its not in the claims when you examine the token in your backend application, make sure you have an SSO reflector that ensures the claim is maintained in an SSO session

[iliassk]

Hey @CodyMorris! Thank you. I managed to find a solution by using this instead:

<OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email"/>

I don't get why it is so difficult to retrieve the email claim from the id_token. It seems that the only way is using Identity Experience Framework's custom policies.
Doing that automatically adds more complexity. With IEF's policies we don't even have the country claim (nor 80% of the built-in user-flows policies' attributes). We need to implement them in xml by ourselves.

And I just found out that we can't get RBAC or retrieve user roles neither in the token: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10123836-get-user-membership-groups-in-the-claims-with-ad-b
I don't understand why such a popular solution is lacking such important and popular features? If it wasn't designed for this what other Azure AD solution is?

[CodyMorris]

@iliassk for getting group claims from AzureAD, we use the Graph API in our actual application. For other idP's we return it in a custom attribute and ingest it with B2C IEF.

And yes, its a nightmare and i'm not sure why

[nero120]

Also amazed at this and the fact the issue was closed! Our application allows users to plug in any OpenID Connect provider yet it was not working with Azure B2C, and this is the reason. The email claim is a standard OpenID Connect claim. The fact that you can't select this as a return claim from the list means that Azure B2C does not comply with the OpenID Connect protocol.

@MarileeTurscak-MSFT this is a bug. Fix it please Microsoft.

[weimarcoro]

Is anyone also having the same problem but with Azure AD B2C? in my case the email is not returned.

[stanhu]

Yes, right now it seems the only workaround is to use a custom policy to export email. We published our instructions here: https://docs.gitlab.com/ee/administration/auth/oidc.html#microsoft-azure-active-directory-b2c