How can I map a property from an Azure AD login to a B2C identity?

Question

Following this example https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom we have managed to federate an Azure AD directory ('AD') with an Azure AD B2C directory ('B2C'), so we can have social and self-asserted sign up to a public application, which our work users can also sign into with their normal work IDs. This works well and solves a complex scenario for us.

In the application which is secured with B2C, we need to show AD users content that is relevant to their work identity (specifically we need to filter products based on their work role), but this information is not available to us, since the process of signing up to the app generates a new B2C identity for the user (effectively a proxy for their AD identity).

What we need to do is to map the user's original AD identity onto the new B2C identity. Other properties of the AD user such as Given Name and Surname are already mapped, and that seems to take place here, in the ClaimsProvider element of our custom policy, via the PartnerClaimType property:

<OutputClaims>
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
    <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
    <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="contosoAuthentication" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureADContoso" />
</OutputClaims>

Indeed, it even appears that the ID we're looking for might be mapped to a property ( oid ) - but when we later query the B2C graph for the user, this oid property is not returned.

So - how can we map the user's Object ID from the work AD directory onto a property on the new B2C identity that is created?

Answer 1

CREATED on 28 Nov 17

Currently, the object identifier for the Azure AD user (or any external user) is saved to the "alternativeSecurityId" attribute in the Azure AD B2C directory, but this built-in attribute can't be queried via the Azure AD Graph API.

You can, however, create a custom attribute and map the "oid" claim from the Azure AD identity provider to a custom claim that is associated with this custom attribute.

Creating a custom attribute and using this as a custom claim is described at Azure Active Directory B2C: Creating and using custom attributes in a custom profile edit policy .

For your specific scenario, you should:

1: Add a <ClaimType /> , declaring the custom claim, to the base policy:

<ClaimType Id="extension_AzureADUserObjectId">
  <DisplayName>Azure AD User Object ID</DisplayName>
  <DataType>string</DataType>
</ClaimType>

2: Map the "oid" claim in the "SignInWithContoso" technical profile:

<OutputClaims>
  ...
  <OutputClaim ClaimTypeReferenceId="extension_AzureADUserObjectId" PartnerClaimType="oid" />
</OutputClaims>

3: Add the application and object identifiers for the extensions app to the "AAD-Common" technical profile which is required to read and write the custom claim to the Azure AD B2C directory:

<TechnicalProfile Id="AAD-Common">
  <DisplayName>Azure Active Directory</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ApplicationObjectId">Insert the object identifier for the b2c-extensions-app application here</Item>
    <Item Key="ClientId">Insert the application identifier for the b2c-extensions-app application here</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="TokenSigningKeyContainer" />
  </CryptographicKeys>
  ...
</TechnicalProfile>

4: Write the custom claim in the "AAD-UserWriteUsingAlternativeSecurityId" technical profile:

<PersistedClaims>
  ...
  <PersistedClaim ClaimTypeReferenceId="extension_AzureADUserObjectId" />
</PersistedClaims>

5: Read the custom claim in the "AAD-UserReadUsingAlternativeSecurityId" technical profile:

<OutputClaims>
  ...
  <OutputClaim ClaimTypeReferenceId="extension_AzureADUserObjectId" />
</OutputClaims>

6: Issue the custom claim in any relying party policies or query it via the Azure AD Graph API.

UPDATED on 15 Feb 18

Since this announcement on 5 Feb 18 , the external issuer (ie, the Azure AD tenant) and the external user identifier (ie, the object identifier of the Azure AD user) can be read from the "userIdentities" property of the user object in the Azure AD B2C directory, where the "issuerUserId" property contains the Base64-encoding of the external user identifier:

{
    "userIdentities": [
        {
            "issuer": "contoso.com",
            "issuerUserId": "Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm"
        }
    ]
}