I'm using custom policies and I saw that the field "emails" that exists in built-in policies but doesn't exist in custom policies. There is a claim named otherMails
instead.
emails
claim in my tokens with a list of user emails. I'm using the custom policies in the starter pack. But I don't know which TechnicalProfiles
should I change. I tried a few things but it doesn't work.
Thanks in advance!
When writing a local account: You must create the "otherMails" claim from the "email" claim using the "CreateOtherMailsFromEmail" claims transformation and then persist the "otherMails" claim in the "AAD-UserWriteUsingLogonEmail" technical profile:
<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
...
<IncludeInSso>false</IncludeInSso>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CreateOtherMailsFromEmail" />
</InputClaimsTransformations>
<InputClaims>
...
</InputClaims>
<PersistedClaims>
...
<PersistedClaim ClaimTypeReferenceId="otherMails" />
</PersistedClaims>
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="otherMails" />
</OutputClaims>
...
</TechnicalProfile>
You must then pass the "otherMails" claim out from the "LocalAccountSignUpWithLogonEmail" technical profile that is invoked to register a local account:
<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="otherMails" />
</OutputClaims>
</TechnicalProfile>
When writing a social account: The "otherMails" claim is already created from the "email" claim and then persisted in the "AAD-UserWriteUsingAlternativeSecurityId" technical profile.
You must then pass the "otherMails" claim out from the "SelfAsserted-Social" technical profile that is invoked to register a social account:
<TechnicalProfile Id="SelfAsserted-Social">
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="otherMails" />
</OutputClaims>
</TechnicalProfile>
When reading a local or social account: The "otherMails" claim is already read in the "AAD-UserReadUsingObjectId", "AAD-UserReadUsingEmailAddress", and "AAD-UserReadUsingAlternativeSecurityId" technical profiles.
You must then pass the "otherMails" claim out from the "LocalAccountDiscoveryUsingEmailAddress" technical profile that is invoked to recover a local password:
<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="otherMails" />
</OutputClaims>
</TechnicalProfile>
To issue the "otherMail" claim as "emails" from the sign-up/sign-in and password reset policies: You must add the "otherMails" claim as <OutputClaim />
to the relying party policies:
<RelyingParty>
...
<TechnicalProfile Id="PolicyProfile">
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
</OutputClaims>
</TechnicalProfile>
</RelyingParty>
For Chris Padgett's answer, you can add other emails (Alternate email) into the claim.
If you just want to add email claim from the SignIn name into the token, you can just take following steps:
Open your SignUporSignIn.xml
file
Replace <OutputClaim ClaimTypeReferenceId="email" />
with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
Save this SignUporSignIn.xml file and upload it to Azure AD B2C to overwrite the policy.
Run the SignUporSignIn policy to test it. Here is my test result, you can see the email claim in the token:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With