Azure-docs: OpenID Connect email claim

Created on 8 Feb 2020 · 9Comments · Source: MicrosoftDocs/azure-docs

"email" is a standard OIDC claim with a particular documented standard way of retrieving it (using scope of email). Is there no way that AAD B2C federations can clearly return the OIDC email claim rather than in something like "upn" which feels like it might be an email or might not be an email value?

https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: bf203c92-3847-c2f9-f966-edaca7b59818
Version Independent ID: 76f7519d-3040-646d-93a0-2657812d81e9
Content: Set up sign-in with an Azure AD account by using custom policies - Azure AD B2C
Content Source: articles/active-directory-b2c/identity-provider-azure-ad-single-tenant-custom.md
Service: active-directory
Sub-service: b2c
GitHub Login: @mmacy
Microsoft Alias: marsma

B2subsvc Pri2 active-directorsvc cxp product-question triaged

Source

alex-mason-by

Most helpful comment

Azure AD has its own rules as we see with other IdPs. The Azure AD docs explain what claims are issued and for what reason in the link I sent in my last comment. In B2C you are free to map those to anything you like.

We don’t provide exact guidance on what you might map because it can change on the requirement. Rather we show the mapping process.
In your case you want the addressable email, in which case you’d use the email claim based off the AAD claim information doc.

The standard lowest common denominator is what the article achieves already regardless of your AAD environment.

JasSuri on 10 Feb 2020

👍2

All 9 comments

@alex-mason-jdas Thanks for the question! We are investigating and will update you shortly.

CHEEKATLAPRADEEP-MSFT on 8 Feb 2020

In Azure AD, you can set the Application Registration to issue the addressable "email" claim as an optional claim:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-optional-claims

We are updating this doc to add this reference.

JasSuri on 10 Feb 2020

To be specific, my question is on the page around B2C federating to Azure AD and how to get the email claim exposed. I am not sure optional claim is the answer on my question, is it?

alex-mason-by on 10 Feb 2020

Yes it is the solution. AAD will then return the email claim in its token to B2C if the user has an Exchange online mailbox, and then B2C can then issue it in its token by mapping it in the relying party section.

AAD already returns the UPN in the token to B2C, which we can map using the partnerClaimType=“unique_name”, but it is not garunteed to be an addressable mailbox.

If you just want to output UPN as email, map it in the output claims to email like the other claims are being mapped.

JasSuri on 10 Feb 2020

Is there a recommendation/ranked order which you suggest to follow (at least when federating to Azure AD), e.g.

email
AlternativeMails/otherMails
upn
...

Initially getting the claim to show up is one thing, having it make sense is another...
This gets more problematic with generic federations, but for AAD federation I would expect there to be more or less standards which claims you can and should expect.

Fra-nk on 10 Feb 2020

The standard lowest common denominator is what the article achieves already regardless of your AAD environment.

JasSuri on 10 Feb 2020

👍2

@alex-mason-jdas , Closing this thread for now

souravmishra-msft on 14 Feb 2020

https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

This document for email payload claim under id tokens indicates that it is enough to ask for the email scope for addressable email. I don't understand if this is wrong or I am still missing something.

alex-mason-by on 25 Feb 2020

Resolved. I think I am getting addressable email by passing scope of email on the v2.0 endpoint in my custom policy

alex-mason-by on 26 Feb 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings