Azure AD B2C custom policy set extension attribute value











up vote
0
down vote

favorite












I have B2C custom policy signin UserJouney which checks to see if the user requires a password reset on their first logon. We are using an extension attribute to do this as B2C has a bug where the "forceChangePasswordNextLogin" value prevents the user from logging in at all.



Here is the sign in user journey.



<UserJourney Id="SignUpOrSignInSaml">

  <OrchestrationSteps>

    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">

      <ClaimsProviderSelections>

        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninUsernameExchange" />

      </ClaimsProviderSelections>

      <ClaimsExchanges>

        <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />

      </ClaimsExchanges>

    </OrchestrationStep>

    <OrchestrationStep Order="2" Type="ClaimsExchange">

      <Preconditions>

        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

          <Value>objectId</Value>

          <Action>SkipThisOrchestrationStep</Action>

        </Precondition>

      </Preconditions>

      <ClaimsExchanges>

        <ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName" />

      </ClaimsExchanges>

    </OrchestrationStep>

    <!-- This step reads any user attributes that we may not have received when in the token. -->

    <OrchestrationStep Order="3" Type="ClaimsExchange">

      <ClaimsExchanges>

        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />

      </ClaimsExchanges>

    </OrchestrationStep>

    <OrchestrationStep Order="4" Type="ClaimsExchange">

      <Preconditions>

        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">

          <Value>extension_ChangePasswordRequired</Value>

          <Value>true</Value>

          <Action>SkipThisOrchestrationStep</Action>

        </Precondition>

        </Preconditions>

        <ClaimsExchanges>

        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />

      </ClaimsExchanges>

    </OrchestrationStep>

    <OrchestrationStep Order="5" Type="ClaimsExchange">

    <ClaimsExchanges>

      <ClaimsExchange Id="UpdatePasswordResetValue" TechnicalProfileReferenceId="LocalAccountUpdatePasswordResetStateValue" />

    </ClaimsExchanges>

  </OrchestrationStep>

    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />

  </OrchestrationSteps>

  <ClientDefinition ReferenceId="DefaultWeb" />

</UserJourney>


Step 4 in the UserJourney evaluates whether the extension attribute "extension_ChangePasswordRequired" is set to "true" and will prompt the user to change their password if it reads "true". This is working fine.



Step 5 is then used to update the extension attribute to something other than "true" so the user isn't prompted again at next login however doesn't seem to be working.



Here is my "LocalAccountUpdatePasswordResetStateValue" TechnicalProfile



    <TechnicalProfile Id="LocalAccountUpdatePasswordResetStateValue">

        <DisplayName>Update Password Set Value</DisplayName>

        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

        <OutputClaims>

          <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" Required="true" />

        </OutputClaims>

        <OutputClaimsTransformations>

          <OutputClaimsTransformation ReferenceId="SetPasswordResetStatus" />

        </OutputClaimsTransformations>

        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

      </TechnicalProfile>


And here is the Output claims transformation that it is calling



<ClaimsTransformation Id="SetPasswordResetStatus" TransformationMethod="FormatStringClaim">

      <InputClaims>

        <InputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="inputClaim" />

      </InputClaims>

      <InputParameters>

        <InputParameter Id="stringFormat" DataType="string" Value="abc123" />

      </InputParameters>

      <OutputClaims>

        <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="outputClaim" />

      </OutputClaims>

    </ClaimsTransformation>


The policies pass validation at time of upload however doesn't set the extension attribute on the user after a password reset.



Does anyone know what I'm doing wrong here or if there is a better way of achieving this?



-----Update-----



I'm successfully able to write a value to a different extension attribute via a persisted claim as seen here



<TechnicalProfile Id="AAD-UserUpdateStateValue">

   <Metadata>

      <Item Key="Operation">Write</Item>

      <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>

      <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>

   </Metadata>

   <IncludeInSso>false</IncludeInSso>

 <InputClaims>

   <InputClaim ClaimTypeReferenceId="objectId" Required="true" />

 </InputClaims>

 <PersistedClaims>

    <!-- Required claims -->

    <PersistedClaim ClaimTypeReferenceId="objectId" />

    <!-- Optional claims -->

    <PersistedClaim ClaimTypeReferenceId="extension_Flag" DefaultValue="abc1234567"/>

    </PersistedClaims>

  <IncludeTechnicalProfile ReferenceId="AAD-Common" />

</TechnicalProfile>


However as mentioned by Chris in this post this doesn't work if I have read the claim in a previous step.






azure-ad-b2c







share|improve this question




























    up vote
    0
    down vote

    favorite












    I have B2C custom policy signin UserJouney which checks to see if the user requires a password reset on their first logon. We are using an extension attribute to do this as B2C has a bug where the "forceChangePasswordNextLogin" value prevents the user from logging in at all.



    Here is the sign in user journey.



    <UserJourney Id="SignUpOrSignInSaml">
    
  <OrchestrationSteps>
    
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
    
      <ClaimsProviderSelections>
    
        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninUsernameExchange" />
    
      </ClaimsProviderSelections>
    
      <ClaimsExchanges>
    
        <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
    
      </ClaimsExchanges>
    
    </OrchestrationStep>
    
    <OrchestrationStep Order="2" Type="ClaimsExchange">
    
      <Preconditions>
    
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
    
          <Value>objectId</Value>
    
          <Action>SkipThisOrchestrationStep</Action>
    
        </Precondition>
    
      </Preconditions>
    
      <ClaimsExchanges>
    
        <ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName" />
    
      </ClaimsExchanges>
    
    </OrchestrationStep>
    
    <!-- This step reads any user attributes that we may not have received when in the token. -->
    
    <OrchestrationStep Order="3" Type="ClaimsExchange">
    
      <ClaimsExchanges>
    
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    
      </ClaimsExchanges>
    
    </OrchestrationStep>
    
    <OrchestrationStep Order="4" Type="ClaimsExchange">
    
      <Preconditions>
    
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
    
          <Value>extension_ChangePasswordRequired</Value>
    
          <Value>true</Value>
    
          <Action>SkipThisOrchestrationStep</Action>
    
        </Precondition>
    
        </Preconditions>
    
        <ClaimsExchanges>
    
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />
    
      </ClaimsExchanges>
    
    </OrchestrationStep>
    
    <OrchestrationStep Order="5" Type="ClaimsExchange">
    
    <ClaimsExchanges>
    
      <ClaimsExchange Id="UpdatePasswordResetValue" TechnicalProfileReferenceId="LocalAccountUpdatePasswordResetStateValue" />
    
    </ClaimsExchanges>
    
  </OrchestrationStep>
    
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
    
  </OrchestrationSteps>
    
  <ClientDefinition ReferenceId="DefaultWeb" />
    
</UserJourney>


    Step 4 in the UserJourney evaluates whether the extension attribute "extension_ChangePasswordRequired" is set to "true" and will prompt the user to change their password if it reads "true". This is working fine.



    Step 5 is then used to update the extension attribute to something other than "true" so the user isn't prompted again at next login however doesn't seem to be working.



    Here is my "LocalAccountUpdatePasswordResetStateValue" TechnicalProfile



        <TechnicalProfile Id="LocalAccountUpdatePasswordResetStateValue">
    
        <DisplayName>Update Password Set Value</DisplayName>
    
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    
        <OutputClaims>
    
          <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" Required="true" />
    
        </OutputClaims>
    
        <OutputClaimsTransformations>
    
          <OutputClaimsTransformation ReferenceId="SetPasswordResetStatus" />
    
        </OutputClaimsTransformations>
    
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
    
      </TechnicalProfile>


    And here is the Output claims transformation that it is calling



    <ClaimsTransformation Id="SetPasswordResetStatus" TransformationMethod="FormatStringClaim">
    
      <InputClaims>
    
        <InputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="inputClaim" />
    
      </InputClaims>
    
      <InputParameters>
    
        <InputParameter Id="stringFormat" DataType="string" Value="abc123" />
    
      </InputParameters>
    
      <OutputClaims>
    
        <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="outputClaim" />
    
      </OutputClaims>
    
    </ClaimsTransformation>


    The policies pass validation at time of upload however doesn't set the extension attribute on the user after a password reset.



    Does anyone know what I'm doing wrong here or if there is a better way of achieving this?



    -----Update-----



    I'm successfully able to write a value to a different extension attribute via a persisted claim as seen here



    <TechnicalProfile Id="AAD-UserUpdateStateValue">
    
   <Metadata>
    
      <Item Key="Operation">Write</Item>
    
      <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
    
      <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
    
   </Metadata>
    
   <IncludeInSso>false</IncludeInSso>
    
 <InputClaims>
    
   <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
    
 </InputClaims>
    
 <PersistedClaims>
    
    <!-- Required claims -->
    
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    
    <!-- Optional claims -->
    
    <PersistedClaim ClaimTypeReferenceId="extension_Flag" DefaultValue="abc1234567"/>
    
    </PersistedClaims>
    
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    
</TechnicalProfile>


    However as mentioned by Chris in this post this doesn't work if I have read the claim in a previous step.






    azure-ad-b2c







    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have B2C custom policy signin UserJouney which checks to see if the user requires a password reset on their first logon. We are using an extension attribute to do this as B2C has a bug where the "forceChangePasswordNextLogin" value prevents the user from logging in at all.



      Here is the sign in user journey.



      <UserJourney Id="SignUpOrSignInSaml">
      
  <OrchestrationSteps>
      
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
      
      <ClaimsProviderSelections>
      
        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninUsernameExchange" />
      
      </ClaimsProviderSelections>
      
      <ClaimsExchanges>
      
        <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      
      <Preconditions>
      
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      
          <Value>objectId</Value>
      
          <Action>SkipThisOrchestrationStep</Action>
      
        </Precondition>
      
      </Preconditions>
      
      <ClaimsExchanges>
      
        <ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <!-- This step reads any user attributes that we may not have received when in the token. -->
      
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      
      <ClaimsExchanges>
      
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <OrchestrationStep Order="4" Type="ClaimsExchange">
      
      <Preconditions>
      
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
      
          <Value>extension_ChangePasswordRequired</Value>
      
          <Value>true</Value>
      
          <Action>SkipThisOrchestrationStep</Action>
      
        </Precondition>
      
        </Preconditions>
      
        <ClaimsExchanges>
      
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <OrchestrationStep Order="5" Type="ClaimsExchange">
      
    <ClaimsExchanges>
      
      <ClaimsExchange Id="UpdatePasswordResetValue" TechnicalProfileReferenceId="LocalAccountUpdatePasswordResetStateValue" />
      
    </ClaimsExchanges>
      
  </OrchestrationStep>
      
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
      
  </OrchestrationSteps>
      
  <ClientDefinition ReferenceId="DefaultWeb" />
      
</UserJourney>


      Step 4 in the UserJourney evaluates whether the extension attribute "extension_ChangePasswordRequired" is set to "true" and will prompt the user to change their password if it reads "true". This is working fine.



      Step 5 is then used to update the extension attribute to something other than "true" so the user isn't prompted again at next login however doesn't seem to be working.



      Here is my "LocalAccountUpdatePasswordResetStateValue" TechnicalProfile



          <TechnicalProfile Id="LocalAccountUpdatePasswordResetStateValue">
      
        <DisplayName>Update Password Set Value</DisplayName>
      
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      
        <OutputClaims>
      
          <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" Required="true" />
      
        </OutputClaims>
      
        <OutputClaimsTransformations>
      
          <OutputClaimsTransformation ReferenceId="SetPasswordResetStatus" />
      
        </OutputClaimsTransformations>
      
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
      
      </TechnicalProfile>


      And here is the Output claims transformation that it is calling



      <ClaimsTransformation Id="SetPasswordResetStatus" TransformationMethod="FormatStringClaim">
      
      <InputClaims>
      
        <InputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="inputClaim" />
      
      </InputClaims>
      
      <InputParameters>
      
        <InputParameter Id="stringFormat" DataType="string" Value="abc123" />
      
      </InputParameters>
      
      <OutputClaims>
      
        <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="outputClaim" />
      
      </OutputClaims>
      
    </ClaimsTransformation>


      The policies pass validation at time of upload however doesn't set the extension attribute on the user after a password reset.



      Does anyone know what I'm doing wrong here or if there is a better way of achieving this?



      -----Update-----



      I'm successfully able to write a value to a different extension attribute via a persisted claim as seen here



      <TechnicalProfile Id="AAD-UserUpdateStateValue">
      
   <Metadata>
      
      <Item Key="Operation">Write</Item>
      
      <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
      
      <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
      
   </Metadata>
      
   <IncludeInSso>false</IncludeInSso>
      
 <InputClaims>
      
   <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
      
 </InputClaims>
      
 <PersistedClaims>
      
    <!-- Required claims -->
      
    <PersistedClaim ClaimTypeReferenceId="objectId" />
      
    <!-- Optional claims -->
      
    <PersistedClaim ClaimTypeReferenceId="extension_Flag" DefaultValue="abc1234567"/>
      
    </PersistedClaims>
      
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
      
</TechnicalProfile>


      However as mentioned by Chris in this post this doesn't work if I have read the claim in a previous step.






      azure-ad-b2c







      share|improve this question















      I have B2C custom policy signin UserJouney which checks to see if the user requires a password reset on their first logon. We are using an extension attribute to do this as B2C has a bug where the "forceChangePasswordNextLogin" value prevents the user from logging in at all.



      Here is the sign in user journey.



      <UserJourney Id="SignUpOrSignInSaml">
      
  <OrchestrationSteps>
      
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
      
      <ClaimsProviderSelections>
      
        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninUsernameExchange" />
      
      </ClaimsProviderSelections>
      
      <ClaimsExchanges>
      
        <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      
      <Preconditions>
      
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      
          <Value>objectId</Value>
      
          <Action>SkipThisOrchestrationStep</Action>
      
        </Precondition>
      
      </Preconditions>
      
      <ClaimsExchanges>
      
        <ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <!-- This step reads any user attributes that we may not have received when in the token. -->
      
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      
      <ClaimsExchanges>
      
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <OrchestrationStep Order="4" Type="ClaimsExchange">
      
      <Preconditions>
      
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
      
          <Value>extension_ChangePasswordRequired</Value>
      
          <Value>true</Value>
      
          <Action>SkipThisOrchestrationStep</Action>
      
        </Precondition>
      
        </Preconditions>
      
        <ClaimsExchanges>
      
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />
      
      </ClaimsExchanges>
      
    </OrchestrationStep>
      
    <OrchestrationStep Order="5" Type="ClaimsExchange">
      
    <ClaimsExchanges>
      
      <ClaimsExchange Id="UpdatePasswordResetValue" TechnicalProfileReferenceId="LocalAccountUpdatePasswordResetStateValue" />
      
    </ClaimsExchanges>
      
  </OrchestrationStep>
      
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
      
  </OrchestrationSteps>
      
  <ClientDefinition ReferenceId="DefaultWeb" />
      
</UserJourney>


      Step 4 in the UserJourney evaluates whether the extension attribute "extension_ChangePasswordRequired" is set to "true" and will prompt the user to change their password if it reads "true". This is working fine.



      Step 5 is then used to update the extension attribute to something other than "true" so the user isn't prompted again at next login however doesn't seem to be working.



      Here is my "LocalAccountUpdatePasswordResetStateValue" TechnicalProfile



          <TechnicalProfile Id="LocalAccountUpdatePasswordResetStateValue">
      
        <DisplayName>Update Password Set Value</DisplayName>
      
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      
        <OutputClaims>
      
          <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" Required="true" />
      
        </OutputClaims>
      
        <OutputClaimsTransformations>
      
          <OutputClaimsTransformation ReferenceId="SetPasswordResetStatus" />
      
        </OutputClaimsTransformations>
      
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
      
      </TechnicalProfile>


      And here is the Output claims transformation that it is calling



      <ClaimsTransformation Id="SetPasswordResetStatus" TransformationMethod="FormatStringClaim">
      
      <InputClaims>
      
        <InputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="inputClaim" />
      
      </InputClaims>
      
      <InputParameters>
      
        <InputParameter Id="stringFormat" DataType="string" Value="abc123" />
      
      </InputParameters>
      
      <OutputClaims>
      
        <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="outputClaim" />
      
      </OutputClaims>
      
    </ClaimsTransformation>


      The policies pass validation at time of upload however doesn't set the extension attribute on the user after a password reset.



      Does anyone know what I'm doing wrong here or if there is a better way of achieving this?



      -----Update-----



      I'm successfully able to write a value to a different extension attribute via a persisted claim as seen here



      <TechnicalProfile Id="AAD-UserUpdateStateValue">
      
   <Metadata>
      
      <Item Key="Operation">Write</Item>
      
      <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
      
      <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
      
   </Metadata>
      
   <IncludeInSso>false</IncludeInSso>
      
 <InputClaims>
      
   <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
      
 </InputClaims>
      
 <PersistedClaims>
      
    <!-- Required claims -->
      
    <PersistedClaim ClaimTypeReferenceId="objectId" />
      
    <!-- Optional claims -->
      
    <PersistedClaim ClaimTypeReferenceId="extension_Flag" DefaultValue="abc1234567"/>
      
    </PersistedClaims>
      
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
      
</TechnicalProfile>


      However as mentioned by Chris in this post this doesn't work if I have read the claim in a previous step.






      azure-ad-b2c




      azure-ad-b2c






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 11 at 4:00

























      asked Nov 10 at 8:44









      Brady

      154




      154
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          The DefaultValue attribute is effective if and only if the claim value isn't set.



          To force the use of a default value, set the AlwaysUseDefaultValue attribute to true:



          <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />


          In your particular case, you should set the extension_ChangePasswordRequired claim to this default value in the AAD-UserWritePasswordUsingObjectId technical profile as the new password is written:



          <TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
          
  <Metadata>
          
    <Item Key="Operation">Write</Item>
          
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          
  </Metadata>
          
  <IncludeInSso>false</IncludeInSso>
          
  <InputClaims>
          
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          
  </InputClaims>
          
  <PersistedClaims>
          
    <PersistedClaim ClaimTypeReferenceId="objectId" />
          
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
          
    <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />
          
  </PersistedClaims>
          
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
          
</TechnicalProfile>


          You can then remove orchestration step 5 from the user journey.






          share|improve this answer





















          • once again you've solved my B2C policy issue. Thanks so much!
            – Brady
            Nov 13 at 1:07













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237370%2fazure-ad-b2c-custom-policy-set-extension-attribute-value%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          The DefaultValue attribute is effective if and only if the claim value isn't set.



          To force the use of a default value, set the AlwaysUseDefaultValue attribute to true:



          <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />


          In your particular case, you should set the extension_ChangePasswordRequired claim to this default value in the AAD-UserWritePasswordUsingObjectId technical profile as the new password is written:



          <TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
          
  <Metadata>
          
    <Item Key="Operation">Write</Item>
          
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          
  </Metadata>
          
  <IncludeInSso>false</IncludeInSso>
          
  <InputClaims>
          
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          
  </InputClaims>
          
  <PersistedClaims>
          
    <PersistedClaim ClaimTypeReferenceId="objectId" />
          
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
          
    <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />
          
  </PersistedClaims>
          
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
          
</TechnicalProfile>


          You can then remove orchestration step 5 from the user journey.






          share|improve this answer





















          • once again you've solved my B2C policy issue. Thanks so much!
            – Brady
            Nov 13 at 1:07

















          up vote
          1
          down vote



          accepted










          The DefaultValue attribute is effective if and only if the claim value isn't set.



          To force the use of a default value, set the AlwaysUseDefaultValue attribute to true:



          <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />


          In your particular case, you should set the extension_ChangePasswordRequired claim to this default value in the AAD-UserWritePasswordUsingObjectId technical profile as the new password is written:



          <TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
          
  <Metadata>
          
    <Item Key="Operation">Write</Item>
          
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          
  </Metadata>
          
  <IncludeInSso>false</IncludeInSso>
          
  <InputClaims>
          
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          
  </InputClaims>
          
  <PersistedClaims>
          
    <PersistedClaim ClaimTypeReferenceId="objectId" />
          
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
          
    <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />
          
  </PersistedClaims>
          
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
          
</TechnicalProfile>


          You can then remove orchestration step 5 from the user journey.






          share|improve this answer





















          • once again you've solved my B2C policy issue. Thanks so much!
            – Brady
            Nov 13 at 1:07















          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          The DefaultValue attribute is effective if and only if the claim value isn't set.



          To force the use of a default value, set the AlwaysUseDefaultValue attribute to true:



          <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />


          In your particular case, you should set the extension_ChangePasswordRequired claim to this default value in the AAD-UserWritePasswordUsingObjectId technical profile as the new password is written:



          <TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
          
  <Metadata>
          
    <Item Key="Operation">Write</Item>
          
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          
  </Metadata>
          
  <IncludeInSso>false</IncludeInSso>
          
  <InputClaims>
          
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          
  </InputClaims>
          
  <PersistedClaims>
          
    <PersistedClaim ClaimTypeReferenceId="objectId" />
          
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
          
    <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />
          
  </PersistedClaims>
          
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
          
</TechnicalProfile>


          You can then remove orchestration step 5 from the user journey.






          share|improve this answer












          The DefaultValue attribute is effective if and only if the claim value isn't set.



          To force the use of a default value, set the AlwaysUseDefaultValue attribute to true:



          <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />


          In your particular case, you should set the extension_ChangePasswordRequired claim to this default value in the AAD-UserWritePasswordUsingObjectId technical profile as the new password is written:



          <TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
          
  <Metadata>
          
    <Item Key="Operation">Write</Item>
          
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          
  </Metadata>
          
  <IncludeInSso>false</IncludeInSso>
          
  <InputClaims>
          
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          
  </InputClaims>
          
  <PersistedClaims>
          
    <PersistedClaim ClaimTypeReferenceId="objectId" />
          
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
          
    <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />
          
  </PersistedClaims>
          
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
          
</TechnicalProfile>


          You can then remove orchestration step 5 from the user journey.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 12 at 9:13









          Chris Padgett

          5,620129




          5,620129












          • once again you've solved my B2C policy issue. Thanks so much!
            – Brady
            Nov 13 at 1:07




















          • once again you've solved my B2C policy issue. Thanks so much!
            – Brady
            Nov 13 at 1:07


















          once again you've solved my B2C policy issue. Thanks so much!
          – Brady
          Nov 13 at 1:07






          once again you've solved my B2C policy issue. Thanks so much!
          – Brady
          Nov 13 at 1:07




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237370%2fazure-ad-b2c-custom-policy-set-extension-attribute-value%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Landwehr

          Image
          Dieser Artikel erläutert die Landwehr als Befestigungsanlage; zu anderen Bedeutungen siehe Landwehr (Begriffsklärung). Frankfurter Landwehr um die Stadt, zwischen 1712 und 1714 (Kupferstich von Johann Baptist Homann, Gebietsgrenzen korrigiert nach Friedrich Bothe) Ehemaliger Wartturm der Hannoverschen Landwehr und spätere Windmühle auf dem Lindener Berg, Merian-Stich von 1654 Mit Landwehr , Landgraben und Landhege werden Grenzmarkierungs- bzw. Grenzsicherungswerke und Umfriedungen von Siedlungsgebieten mit dem Recht der Einhegung oder ganzen Territorien bezeichnet. Diese Siedlungsschutzanlagen werden zumeist ins Hoch- und Spätmittelalter datiert und besitzen in Einzelfällen Längen von über hundert Kilometer. Vergleichbare Erdwerke werden jedoch bereits seit der Antike erwähnt. [1] Der römische Limes ist die bekannteste Ausführung einer frühen Landwehr. Auch das Danewerk gehört zu dieser Gruppe von Sperrwerken. Diese Landwehren sind in manchen Regionen – dort vor ...
          Read more

          Reims

          Image
          Der Titel dieses Artikels ist mehrdeutig. Weitere Bedeutungen sind unter Reims (Begriffsklärung) aufgeführt. Reims Devise: Dieu en soit garde – Gott bewahre Region Grand Est Département Marne Arrondissement Reims (Unterpräfektur) Kanton Chef-lieu von 9 Kantonen Gemeindeverband Grand Reims Koordinaten 49° 16′  N , 4° 2′  O 49.265277777778 4.0286111111111 Koordinaten: 49° 16′  N , 4° 2′  O Höhe 74–137 m Fläche 46,90 km 2 Einwohner 184.076 (1. Januar 2015) Bevölkerungsdichte 3.925 Einw./km 2 Postleitzahl 51100 INSEE-Code 51454 Website www.reims.fr Reims (  [.mw-parser-output .IPA a{text-decoration:none} ʀɛ̃s ] ), früher auch Rheims , ist eine Stadt in der Champagne im Nordosten Frankreichs, etwa 130 Kilometer von Paris entfernt. Reims ist der Sitz der Unterpräfektur des Arrondissements Reims im Département Marne in der Région Grand Est. Die Stadt ist Sitz eines Er...
          Read more

          Javascript gets undefined on array

          Image
          up vote -1 down vote favorite I have the following data structure for javascript: var data = { "announcements": { "IFT4S": [{ "id": "D7214", "read_state": "unread", "posted_at": "2018-10-25T14:35:54Z", "title": "Reminder! Systems disruption: 27-28 Oct", "message": "All University online systems will be unavailable." }, { "id": "B399C", "read_state": "read", "posted_at": "2018-10-22T09:04:48Z", "title": "Stem Fair", "message": "The STEM Careers Fair is taking place on 3...
          Read more