I registered a custom authentication extension in Entra External ID that will call my API during user signup with the AttributeCollectionSubmit event type. I would like to register this user in my external database during this call. However, the user ObjectId is not passed with the claims to the API controller. I can receive the other claims they added during registration just fine such as "DisplayName" and "Email".
I believe the reason for this is the ObjectId of the user is not created by Azure before this event is triggered, but after. That leaves me with the problem of how to associate the user created in Azure to my database.
I've looked at the other event types. It seems there are only two options for Entra Id
OnAttributeCollectionStart
The OnAttributeCollectionStart event occurs at the beginning of the attribute collection step before the attribute collection page renders. You can add actions such as prefilling values and displaying a blocking error.
and
OnAttributeCollectionSubmit
The OnAttributeCollectionSubmit event occurs after the user enters and submits attributes. You can add actions such as validating or modifying the user's entries.
Neither seems suited to my use case as the user ObjectID will not be created by Azure yet.
So my question is how can I register an Entra ID user with my external database during the signup user flow?
When it comes to OnAttributeCollectionSubmit event, please be aware that it occurs after the user enters and submits attributes and can be used to validate the information provided by the user before the actual user account is created in the tenant. This is why you do not receive ObjectID as it is not generated yet at this point.
In the future there should be more events supported, like AfterUserRegistered. For not the only thing you can use is Custom claims provider. During the registration process, user is automatically authenticated so this event is called to. Then on your API side you could check whether this user exists in your database. This is not perfect solution as you will ping your API each time user authenticates but unfortunately this is the only solution I can provide for now.