UPN different between Graph API and Azure Portal

Benoit Hoffman 51 Reputation points
2021-09-30T07:35:24.32+00:00

I am using an AD B2C with applications that can receive connections from both a trusted AD or local accounts.

The UPN I see in the Azure Portal (from both local and external accounts) are classical email addresses, and the UPN I recieve from graph API looks something like 085eeb3d-9f34-4a5e-b801-0248e72a4587@B2CTenantName.onmicrosoft.com. I am aware the reason is that B2C needs such an identifier to make sure they are uniques even if someone has 2 accounts with the same UPN in both the local AD B2C and the trusted AD.

My question is, how to retrieve the UPN that is actually displayed in the azure portal ? I Don't care if I can get duplicates in my business, but I truly need to get that human readable UPN since its the only claim I can trust.

If that helps, I am using the graph client in .net 5

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,513 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2021-09-30T10:32:23.88+00:00

    Hi @Benoit Hoffman • Unfortunately, the Username is not stored in the B2C directory by default for the users who signup using federated IDP. Refer to the screenshot below for the user I signup via federated IDP, notice the empty user principal name:

    136647-image.png

    In this case, if you want to store the UPN of the users, you may consider creating a custom attribute like "extension_upn" and configure your signup policy to auto populate the value of this attribute by using preferred_username claim in the token during claims exchange with federated IDP at signup by adding below output claim in the technical profile of the federated IDP. 

       <OutputClaim ClaimTypeReferenceId="extension_upn" PartnerClaimType="preferred_username" />

    Note: preferred_username is the claim name used by Azure AD for UPN. Other IDPs may use different name.

    Refer to Add user attributes and customize user input in Azure Active Directory B2C for more details and don't forget to read the important note.

    See this in action:
    Go to https://b2c.cloud365.in, click on Azure AD button and sign-in with your Azure AD user account. Notice your UPN will be pre-populated in the extension_upn field.

    For users who have already signed-up, this needs to be updated by using profile editing flow.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kunal Gautam 0 Reputation points
    2023-05-25T12:20:26.4733333+00:00

    Hello @AmanpreetSingh-MSFT

    I have value in user principal name but not able to get it with parameter userPrincipalName
    Screenshot 2023-05-25 at 5.38.23 PM

    but getting this cpim_xxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxx.onmicrosoft.com

    can you please assist which parameter is for this? I haven't create custom parameter for this.

    0 comments
  2. Giel Oomen 36 Reputation points
    2023-05-31T14:00:52.1266667+00:00

    I found this super confusing as well. Been filtering for quite some time on UNP but constantly getting no results while the HTTP response was 200. Kept checking back in the portal to make sure the e-mail used in my query was right.

    And indeed, it now appears to be the case that when I do a filter on just the name the API returns a completely different UNP compared to what it shows in the portal...

    But fine, the issue is now clear. However, I still want to be able to query based on e-mail address to get users. I only allow e-mail sign up without custom policy so duplicates are impossible, and even if there were dupes it wouldn't matter. My goal is to query based on an e-mail address to find a person and then get their token to use in other operations, how should this be achieved?

    The endpoint below does not work either.

    $filter=identities/any(i:i/issuerAssignedId eq '{email}' and i/signInType eq 'emailAddress')