I've followed this article to build out a Azure AD B2C custom policy, so we can have both local AD users + external Entra ID users log in to our app. I used the SocialAndLocalAccounts example XML files, and modified it to suit our configuration.
It's all working well, except the Entra ID flow isn't returning the user's email address claim in the response:
{
"alg": "RS256",
"kid": "xxx",
"typ": "JWT"
}.{
"exp": 1734585091,
"nbf": 1734581491,
"ver": "1.0",
"iss": "https://truthengine.b2clogin.com/xxx/v2.0/",
"sub": "xxx",
"aud": "xxx",
"acr": "b2c_1a_jb_signup_signin",
"nonce": "defaultNonce",
"iat": 1734581491,
"auth_time": 1734581491,
"name": "John Bishop",
"idp": "https://login.microsoftonline.com/xxx/v2.0",
"given_name": "John",
"family_name": "Bishop",
"tid": "xxx"
}.[Signature]
And it doesn't actually look like I'm requesting the email address in the login flow:
Screenshot of Entra ID login dialog
I've tried following the instructions in this SO post about adding the <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" /> entry in the SignUporSignIn.xml file, but that hasn't helped.
If anyone has any ideas on what I might be doing wrong here - I'd very much appreciate some direction. Cheers!
In this article it's suggested to add the scopes like this:
<Item Key="scope">openid profile</Item>
Try to add email to retrieve users email adress, too.
<Item Key="scope">openid profile email</Item>
