skip to Main Content

I want to know the email address of a user to send an email.
On my application, people can sign up with social accounts (google/facebook/Microsoft) or local accounts.
When creating a local account we use the email.

I found this info about how email is stored.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies

Email address storage: An email address can be required as part of a user flow. If the user authenticates with a social identity
provider, the email address is stored in the otherMails property. If a
local account is based on a user name, then the email address is
stored in a strong authentication detail property. If a local account
is based on an email address, then the email address is stored in the
signInNames property. The email address isn’t guaranteed to be
verified in any of these cases. A tenant administrator can disable
email verification in the basic policies for local accounts. Even if
email address verification is enabled, addresses aren’t verified if
they come from a social identity provider and they haven’t been
changed. Only the otherMails and signInNames properties are exposed
through the Active Directory Graph API. The email address in the
strong authentication detail property is not available

Not sure why the field “Mail” on the user is not being used… but using GraphApi:

I make a GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,otherMails,signInNames

Some emails appear on “mail”, others on the array of “otherMails”, and “singInNames” can’t be selected 🙁 doesn’t show any info, so are some users that I can’t get the info about the email.

How can I solve this? Only using Azure AD Graph instead of Microsoft Graph API, since on that API signInNames are returned?

Isn’t there any way of storing the emails always on the same property? Or at least one that I have access on Microsoft Graph API? Using Custom policies only with Claims transformation?

4

Answers


  1. You need to collect the email addresses from different places such as mail, otherMails and signInNames through AD Graph API. signInNames is NOT available in Microsoft Graph API.

    Note that in the case where users sign in with username + email validation, there is no way to retrieve the email used.

    Or you could add a custom attribute in custom policy, where you can require users to type in their email address. After that, you could use AD Graph to get the custom attribute (A sample here).

    Login or Signup to reply.
  2. I managed to get the email for a Azure B2C user through the following Microsoft Graph API call:

    https://graph.microsoft.com/v1.0/users?$select=identities

    Login or Signup to reply.
  3. In the Microsoft Graph API you can use:

    GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,identities,otherMails
    

    You can find the email of a local account in the identities collection.

    In the BETA version of the Graph API (graph.microsoft.com/beta) the identities and otherMails properties are also returned without a $select, in the v1.0 version only when specified in the $select.

    Login or Signup to reply.
  4. The Microsoft Graph is the successor of the old Windows Graph. The Microsoft Graph doesn’t support the signInNames property for Users object anymore. One has to filter on identities instead. However identities isn’t part of the default property set of the User object so one has to select it. Once that’s done, one can filter on identities using an any clause.

    Note that filtering on issuerAssignedId can only be done when both issuerAssignedId and issuer are used in the filter clause.

    GET: https://graph.microsoft.com/v1.0/Users?$select=id,identities&filter=identities/any(c:c/issuerAssignedId eq '{email}' and c/issuer eq '{issuer}')
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search