azure-active-directoryazure-ad-b2copenid

No email for id token for B2C built in flow


I have B2C tenant for Azure Active Directory 1 (AD_1). I'd like to authenticate users from external AD_2. SignUp_SignIn flow was create for B2C tenant, all claims were selected. This flow related to custom open id provider with next settings, see below:

enter image description here

Within AD_2 I have app registration, see below

enter image description here

When I decode obtained token, I see no email value. I tried different variants for custom idp for email field, like email, sub - nothing works. Have I missed something? My ui settings are next

enter image description here


Solution

  • I registered one application in Azure AD tenant and added same API permissions as below:

    enter image description here

    In Token configuration, I added same optional claims for ID token like this:

    enter image description here

    Now, I configured Azure AD as an identity provider in B2C tenant by adding custom IDP with below parameters:

    enter image description here

    While running Sign Up and Sign In user flow, make sure to include email addresses claim like this:

    enter image description here

    When I ran the user flow, I got below login screen with Custom IDP AAD button:

    enter image description here

    After clicking Custom IDP AAD button, I got below screen to pick account where I selected Sri account:

    enter image description here

    In my case, I got below screen after completing authentication process with claims from Azure AD:

    enter image description here

    When I selected Continue, I got id_token with emails claim successfully like below:

    enter image description here

    In your case, make sure to select Email addresses in Application claims of user flow to get email in id_token:

    enter image description here

    You need to add email as value while configuring Custom IDP for email field.

    References:

    Set up sign-in for an Azure AD organization - Azure AD B2C | Microsoft

    Azure AD B2C "email" claim is missing from JWT - Stack Overflow by Carl Zhao