question

FedorVariukhin-3151 avatar image
0 Votes"
FedorVariukhin-3151 asked FedorVariukhin-3151 commented

Azure B2C custom policy AAD-UserReadUsingObjectId Error AADB2C90037 while read existing user

Hello Support team, Im developing b2c with custom polices, I faced with unexpected issue.
I want to get users claims with help of AAD-UserReadUsingObjectId, my policy looks like

 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                       xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                       xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
                       TenantId="yourtenant.onmicrosoft.com" PolicyId="B2C_1A_TestReadUser"
                       PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TestReadUser" DeploymentMode="Development">
    
     <BasePolicy>
         <TenantId>yourtenant.onmicrosoft.com</TenantId>
         <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
     </BasePolicy>
        
     <ClaimsProviders>
         <ClaimsProvider>
             <DisplayName>Check param</DisplayName>
             <TechnicalProfiles>
                 <TechnicalProfile Id="UserIdProfile">
                     <DisplayName>Read User Id from query</DisplayName>
                     <Protocol Name="Proprietary"
                               Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
                     <OutputClaims>
                         <OutputClaim ClaimTypeReferenceId="objectId" DefaultValue="GUID of registred user" AlwaysUseDefaultValue="true"/>
                     </OutputClaims>
                 </TechnicalProfile>
             </TechnicalProfiles>
         </ClaimsProvider>
     </ClaimsProviders>
        
     <UserJourneys>
         <UserJourney Id="GetUserData">
             <OrchestrationSteps>
                 <OrchestrationStep Order="1" Type="ClaimsExchange">
                     <ClaimsExchanges>
                         <ClaimsExchange Id="SetUserIdExchange" TechnicalProfileReferenceId="UserIdProfile"/>
                     </ClaimsExchanges>
                 </OrchestrationStep>
                 <OrchestrationStep Order="2" Type="ClaimsExchange">
                     <ClaimsExchanges>
                         <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
                     </ClaimsExchanges>
                 </OrchestrationStep>
                 <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>
             </OrchestrationSteps>
         </UserJourney>
     </UserJourneys>
    
     <RelyingParty>
         <DefaultUserJourney ReferenceId="GetUserData"/>
         <TechnicalProfile Id="PolicyProfile">
             <DisplayName>PolicyProfile</DisplayName>
             <Protocol Name="OpenIdConnect"/>
             <OutputClaims>
                 <!-- <OutputClaim ClaimTypeReferenceId="email" /> -->
                 <OutputClaim ClaimTypeReferenceId="displayName" />
                 <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
                 <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true"
                              DefaultValue="{Policy:TenantObjectId}"/>
             </OutputClaims>
             <SubjectNamingInfo ClaimType="sub"/>
         </TechnicalProfile>
     </RelyingParty>
 </TrustFrameworkPolicy>

when I try to execute it i see
196934-image.png

please help me to understand what im doing wrong.

I've used https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts for initial setup
User im trying to find is tenant user.




azure-ad-b2c
image.png (22.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image MarileeTurscak-MSFT ·

Hi @FedorVariukhin-3151,

Which page layout version are you using in your userflow? There have been recent updates to page layouts so that I have seen cause this error. Would you be able to use the latest page layout version and try again?

Also if you remove the OrchestrationStep 1 section, do you still see this error?

1 Vote 1 ·

1 Answer

FedorVariukhin-3151 avatar image
1 Vote"
FedorVariukhin-3151 answered FedorVariukhin-3151 commented

Hi @Marilee Turscak-MSFT

Which page layout version are you using in your userflow?

I took Base files for policy from starter pack
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/LocalAccounts
I don't know how to check layout versions in portal, but in "TrustFrameworkBase.xml" i see content definitions with data Uri like
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>

I haven't done any changes to base policy file

Also if you remove the OrchestrationStep 1 section, do you still see this error?

I override "AAD-UserReadUsingObjectId", replace step 1, and it started working.
Final policy file looks like this

 <TechnicalProfile Id="AAD-UserReadUsingObjectId">
                     <Metadata>
                         <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
                     </Metadata>
                     <InputClaims>
                         <InputClaim ClaimTypeReferenceId="objectId" DefaultValue="GUID of registred user"
                                     AlwaysUseDefaultValue="true"/>
                     </InputClaims>
                     <OutputClaims>
                         <OutputClaim ClaimTypeReferenceId="objectId" DefaultValue="GUID of registred user"
                                      AlwaysUseDefaultValue="true"/>
                     </OutputClaims>
                 </TechnicalProfile>

Journey contains only last 2 steps.

Thank you so much for your help!

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image MarileeTurscak-MSFT ·

Thanks for confirming that it is working! Do you need any additional help with this?

0 Votes 0 ·
FedorVariukhin-3151 avatar image FedorVariukhin-3151 MarileeTurscak-MSFT ·

Yes I still don't understand what this error mean and how to avoid it, could you please explain it, i didn't found answer in documentation about it.

0 Votes 0 ·