Microsoft azure AD user created with no email

I created the azure AD enterprise connection according to auth0’s docs.
As i’m testing this connection, I see that the users created have no email at all, the closest there is the ‘upn’ attribute in the json part of the users which holds the email.

That’s my azure ad connection config in auth0:

I don’t want to resort to updating the email via auth0 api, something could be blocking auth0 from getting the email, or auth0 is configured not to take the email, not sure which…

Thank you!

1 Like

Hey @giladweiss, Welcome to the Auth0 Community!

In Azure AD you have two separate claims, the upn and the email.

Have you added email in the “Token Configuration” section in the Azure AD Portal.
It can be added as the optional claims(to the ID token) in the “Token Configuration” section

Regards,
Sid

1 Like

Hey Sid

Yes, I have set the email.

And now it is working, the problem was with my testing user’s configuration.

My problem now is to set the email if it is missing, so I tried with this code in a rule:

function (user, context, callback) {
  if (!user.email && user.upn) {
    user.email = user.upn;
  }

  callback(null, user, context);
}

But the email is still not set when I look at the user’s page.
Only difference this makes is by adding the email to the "Last time you sign with:"


Without my code above it show instead AZURETEST (the name).

How do I affectively set the email?

Hey, I tried also with the API but got this error:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Cannot update email for this user",
    "errorCode": "operation_not_supported"
}

All I try is to set the upn to the email property

Hey @giladweiss,

We don’t allow updating the email for the user coming from an External IDP, since
we are not the IDP.

Did you try to log in the user again?

Ideally, if the “Sync user profile attributes at each login” Setting of the connection is enabled it should resync the attributes.

Regards,
Sid

I am seeing exactly the same thing - did you ever find the solution to this?

I added these optional claims on the Azure app:

But on first signup, the email field is not populated - only the upn extended attribute contains the email.

1 Like

Just adding some extra info here.

I am only seeing this problem occur on Azure Active Directory accounts that are using custom domains. Default Microsoft *.onmicrosoft.com seem to set the email address correctly without even adding optional claims to the ID token (or enabling “Extended Profile” in the Azure AD connection in Auth0)

I found the problem, a misconfiguration in my test Azure AD instance.

The test user did not have a license assigned to them and no mailbox. Get this when trying to access mailbox on outlook.com:

If this happens, the email address does not propagate through.

2 Likes

Thanks for sharing it with the rest of community!

Hi @tyrone.erasmus,

I am facing the same problem.

Would you mind sharing some details about how to get upn in Auth0 profile or set the user email with the info in upn?

Thanks a lot!

3 Likes

Same issue here, glad if you can help :slight_smile:

2 Likes

It looks we need to use the auth-pipeline rules to add an email to the access token even though if you do this the backend (we use .net) will fail the token validation.

Anyone had the same issue?

1 Like

I had the same problem: when logging with Azure AD, Auth0 was not able to retrieve / store the email (but the UPN was).

I finally realize that the user I used to perform login tests had no email property on Azure side. :open_mouth: So I added one (the same as the UPN in my case) via the Microsoft Entra ID dashboard (Users > {the user you want to edit} > Properties > Edit “Contact information” > Save with an email).