How to access Email of an User on B2C using Graph API

Asked 11/10, 2019 at 17:12 Answered 21/11, 2022 at 8:46

Solved azure microsoft-graph-api azure-ad-b2c azure-ad-graph-api

I want to know the email address of a user to send an email. On my application, people can sign up with social accounts (google/facebook/Microsoft) or local accounts. When creating a local account we use the email.

I found this info about how email is stored. https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies

Email address storage: An email address can be required as part of a user flow. If the user authenticates with a social identity provider, the email address is stored in the otherMails property. If a local account is based on a user name, then the email address is stored in a strong authentication detail property. If a local account is based on an email address, then the email address is stored in the signInNames property. The email address isn't guaranteed to be verified in any of these cases. A tenant administrator can disable email verification in the basic policies for local accounts. Even if email address verification is enabled, addresses aren't verified if they come from a social identity provider and they haven't been changed. Only the otherMails and signInNames properties are exposed through the Active Directory Graph API. The email address in the strong authentication detail property is not available

Not sure why the field "Mail" on the user is not being used... but using GraphApi:

I make a GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,otherMails,signInNames

Some emails appear on "mail", others on the array of "otherMails", and "singInNames" can't be selected :( doesn't show any info, so are some users that I can't get the info about the email.

How can I solve this? Only using Azure AD Graph instead of Microsoft Graph API, since on that API signInNames are returned?

Isn't there any way of storing the emails always on the same property? Or at least one that I have access on Microsoft Graph API? Using Custom policies only with Claims transformation?

Cessation answered 11/10, 2019 at 17:12 Comment(3)

you can get email as a claim in token also. What is your scenario? – Ralph 11/10, 2019 at 20:11

I'm not authenticated as the User, is a server-side work that needs to send from time to time an email to all users of the platform – Oudh 14/10, 2019 at 11:7

In the Microsoft Graph API the email of a local account is now returned in the identities property, but ONLY in the BETA version, not in the 1.0 version. – Worldwide 7/10, 2020 at 12:36

You need to collect the email addresses from different places such as mail, otherMails and signInNames through AD Graph API. signInNames is NOT available in Microsoft Graph API.

Note that in the case where users sign in with username + email validation, there is no way to retrieve the email used.

Or you could add a custom attribute in custom policy, where you can require users to type in their email address. After that, you could use AD Graph to get the custom attribute (A sample here).

Celinecelinka answered 31/10, 2019 at 9:11 Comment(0)

In the Microsoft Graph API you can use:

GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,identities,otherMails

You can find the email of a local account in the identities collection.

In the BETA version of the Graph API (graph.microsoft.com/beta) the identities and otherMails properties are also returned without a $select, in the v1.0 version only when specified in the $select.

Worldwide answered 7/10, 2020 at 13:1 Comment(2)

This is correct answer. However, I still wonder why this is so much complicated. – Robbinrobbins 3/3, 2021 at 12:49

This works for me too, but having to check in multiple places for the email is far from ideal. – Umpire 12/3, 2021 at 11:52

I managed to get the email for a Azure B2C user through the following Microsoft Graph API call:

https://graph.microsoft.com/v1.0/users?$select=identities

Kennithkennon answered 9/8, 2020 at 2:7 Comment(0)

You need to collect the email addresses from different places such as mail, otherMails and signInNames through AD Graph API. signInNames is NOT available in Microsoft Graph API.

Note that in the case where users sign in with username + email validation, there is no way to retrieve the email used.

Or you could add a custom attribute in custom policy, where you can require users to type in their email address. After that, you could use AD Graph to get the custom attribute (A sample here).

Celinecelinka answered 31/10, 2019 at 9:11 Comment(0)

The Microsoft Graph is the successor of the old Windows Graph. The Microsoft Graph doesn't support the signInNames property for Users object anymore. One has to filter on identities instead. However identities isn't part of the default property set of the User object so one has to select it. Once that's done, one can filter on identities using an any clause.

Note that filtering on issuerAssignedId can only be done when both issuerAssignedId and issuer are used in the filter clause.

GET: https://graph.microsoft.com/v1.0/Users?$select=id,identities&filter=identities/any(c:c/issuerAssignedId eq '{email}' and c/issuer eq '{issuer}')

Mammal answered 21/11, 2022 at 8:46 Comment(0)

Recommended topics

Hot tags