Return emails on custom policies

Question

I'm using custom policies and I saw that the field "emails" that exists in built-in policies but doesn't exist in custom policies. There is a claim named otherMails instead.

• I want to return an emails claim in my tokens with a list of user emails.
• I want that claim on my signup/sign-in and password reset policies.

I'm using the custom policies in the starter pack. But I don't know which TechnicalProfiles should I change. I tried a few things but it doesn't work.

Thanks in advance!

Answer 1

When writing a local account: You must create the "otherMails" claim from the "email" claim using the "CreateOtherMailsFromEmail" claims transformation and then persist the "otherMails" claim in the "AAD-UserWriteUsingLogonEmail" technical profile:

<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
  ...
  <IncludeInSso>false</IncludeInSso>
  <InputClaimsTransformations>
    <InputClaimsTransformation ReferenceId="CreateOtherMailsFromEmail" />
  </InputClaimsTransformations>
  <InputClaims>
    ...
  </InputClaims>
  <PersistedClaims>
    ...
    <PersistedClaim ClaimTypeReferenceId="otherMails" />
  </PersistedClaims>
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="otherMails" />
  </OutputClaims>
  ...
</TechnicalProfile>

You must then pass the "otherMails" claim out from the "LocalAccountSignUpWithLogonEmail" technical profile that is invoked to register a local account:

<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
    ...
    <OutputClaims>
        ...
        <OutputClaim ClaimTypeReferenceId="otherMails" />
    </OutputClaims>
</TechnicalProfile>

When writing a social account: The "otherMails" claim is already created from the "email" claim and then persisted in the "AAD-UserWriteUsingAlternativeSecurityId" technical profile.

You must then pass the "otherMails" claim out from the "SelfAsserted-Social" technical profile that is invoked to register a social account:

<TechnicalProfile Id="SelfAsserted-Social">
    ...
    <OutputClaims>
        ...
        <OutputClaim ClaimTypeReferenceId="otherMails" />
    </OutputClaims>
</TechnicalProfile>

When reading a local or social account: The "otherMails" claim is already read in the "AAD-UserReadUsingObjectId", "AAD-UserReadUsingEmailAddress", and "AAD-UserReadUsingAlternativeSecurityId" technical profiles.

You must then pass the "otherMails" claim out from the "LocalAccountDiscoveryUsingEmailAddress" technical profile that is invoked to recover a local password:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
    ...
    <OutputClaims>
        ...
        <OutputClaim ClaimTypeReferenceId="otherMails" />
    </OutputClaims>
</TechnicalProfile>

To issue the "otherMail" claim as "emails" from the sign-up/sign-in and password reset policies: You must add the "otherMails" claim as <OutputClaim /> to the relying party policies:

<RelyingParty>
    ...
    <TechnicalProfile Id="PolicyProfile">
        <OutputClaims>
            ...
            <OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
        </OutputClaims>
    </TechnicalProfile>
</RelyingParty>

Answer 2

For Chris Padgett's answer, you can add other emails (Alternate email) into the claim.

If you just want to add email claim from the SignIn name into the token, you can just take following steps:

1. Open your SignUporSignIn.xml file

2. Replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />

3. Save this SignUporSignIn.xml file and upload it to Azure AD B2C to overwrite the policy.

4. Run the SignUporSignIn policy to test it. Here is my test result, you can see the email claim in the token: