This is a follow-up to this question. I need to query AAD B2C to lookup a user using an employeeID which, for reasons related to what fields our account provisioning solution can deal with, is currently stored in the telephoneNumber field.
I have created an Azure Active Directory TechnicalProfile which specifies the telephone number as the InputClaim:
<TechnicalProfile Id="AAD-UserReadUsingEmployeeId">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided ID.</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="telephoneNumber" PartnerClaimType="employeeId" Required="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="signInNames.phoneNumber" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="telephoneNumber" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
However, when compiling this policy I get the error:
"Input Claim 'telephoneNumber' is not supported in Azure Active Directory Provider technical profile 'AAD-UserReadUsingEmployeeId'"
I understand from the documentation here that telephoneNumber can only be used as persistentClaim or OutputClaim... so I suppose I may be hitting that limitation. I thought I could wiggle out of this by querying AAD B2C using an extension attribute instead, but there I get confused:
- The answers to the question I linked to earlier state that you can't query AAD B2C through some random attribute, because the attribute needs to be unique
- The FIDO2 sample policy here does use an extension attribute to query AAD B2C and lookup a user, so it would appear to be possible in some conditions.
So, would I be correct in understanding that
- You can use any extension attribute to lookup a user in AAD B2C, and it's on you to ensure that the attribute values are unique
- You can't use most of the standard attributes (such as telephoneNumber) to look up users
Or is there something obvious I'm overlooking in the way I've configured the TechnicalProfile ?
Thanks!
These are correct: