Overview
This article will discuss the situation where a user, logging in with Azure AD (EntraID), does not have an email included in the resulting user profile.
Applies To
- Azure AD (EntraID) Connections
- User Profile
- Actions
Cause
The most likely cause is that there is no ‘email’ property for the user in the Azure AD. In some Azure tenants, only the User Principal Name (UPN) is configured.
Solution
Add Claims by Configuration
Follow these steps:
- Check in the Azure Portal whether the user has an Email property.
- If true, then navigate to Azure AD > App registrations > select an Application > Token configuration
- Enable upn and email claims for the ID token ( as defined in the following table )
| CLAIM | DESCRIPTION |
|---|---|
| The addressable email for this user, if the user has one | |
| groups | Optional formatting for group claims |
| upn | An identifier for the user that can be used with that username |
Add Claims using Actions
To map the UPN Claim into the User Email Attribute using Actions, access the UPN value via event.user.upn.
-
For the UPN to be available on the Action, make sure Extended Attributes are enabled in the Auth0 Azure AD connection configuration, as UPN will not be passed through if extended attributes are not enabled.
Once the UPN has been retrieved, perform a PATCH request to the Management API to update the user profile using:
Ensure Sync User profile on each Login is disabled on the connection to allow PATCH requests to the user. If enabled, it will not allow root user profile attribute updates.
Add Claims by Rules
Alternatively, add this in a Rule to map UPN as Email:
user.email = user.email || user.upn;