Azure B2C：使用自定义声明查询 AAD？

Question

Note that this ties with a previous question , but I've gain a bit of a better understanding of Azure Active Directory (AAD) with custom policies.

Is it possible to query AAD by using a custom claim? For example, I want to use a claim called organizationName (extension_organizationName) to check whether it's already defined. If it was already defined, then I don't want to create the account.

Here's the claim provider that I wrote up to determine this:

    <ClaimsProvider>
      <DisplayName>Azure Active Directory</DisplayName>
        <TechnicalProfiles>
        <!--Demo: This technical profile tries to find a local account with provided email address-->
        <TechnicalProfile Id="AAD-UserReadOrganization-NoError">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="extension_organizationName" Required="true" />
          </InputClaims>
          <OutputClaims>
            <!-- Required claims -->
            <OutputClaim ClaimTypeReferenceId="tempOrganization"/>
          </OutputClaims>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

However, I got the same validation error that I've hit previously, but for a different reason:

Unable to validate the information provided.

If I can't query for an organization, then how else can I check if a custom claim value already exists inside AAD?

Answer 1

As Abhishek stated you can not query AAD B2C using your custom extension_organizationName claim. An alternative solution would be to check if the organization claim is already present in the AAD by calling a custom REST API , which queries the AAD via the Graph API (similar to the way it is described in this blogpost ).

Answer 2

You can not query Azure AD using random claims. You can query using only unique claims. From https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#inputclaims

To read, update, or delete an existing user account, the input claim is a key that uniquely identifies the account in Azure AD directory. For example, objectId, userPrincipalName, signInNames.emailAddress, signInNames.userName, or alternativeSecurityId.

If your scenario is to have organization name as unique, you can consider suffixing it in user principal name. A better explanation of scenario might help in answer.