Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Entra External ID: Federated email claim not present in OnAttributeCollectionStart/Submit payload
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYB%3C/text%3E%3C/svg%3E)
Yuliia Bashko
80
Reputation points
We are using a federated OIDC identity provider with Microsoft Entra External ID.
The email claim is successful:
- returned from the IdP
- mapped via OIDC claim mapping (
email -> email) - correctly prefilled in the UI during sign-up
However, email is not present in:
-
OnAttributeCollectionStart -
OnAttributeCollectionSubmit
payloads.
Expected Behavior
If email:
- is provided by the IdP
- is mapped via OIDC claim mapping
- is used to prefill the UI
then it should also be available in:
userSignUpInfo.attributes.email
in custom authentication extension payloads.
Actual Behavior
Email is missing from the payload:
"userSignUpInfo": {
"attributes": {
"displayName": "...",
"givenName": "...",
"surname": "..."
},
"identities": [
{
"signInType": "federated",
"issuerAssignedId": "<redacted>"
}
]
}
Key Observation (Important)
If we map email to another attribute (for example, postalCode or streetAddress):
"postalCode": {
"value": "user@example.com"
}
Then the value does appear in the payload.
This proves:
- the IdP sends email
- the mapping works
- the payload can carry the value
But the email attribute is specifically excluded.
Repro Steps
- Configure the OIDC IdP.
- Map:
email -> email - Enable Email in the user flow attributes.
- Add a Custom Authentication Extension (Start + Submit).
- Trigger a federated sign-up.
Result:
- UI shows email
- Payload does not contain email
Additional Context
- Protocol: OAUTH2.0
- signInType: federated
- issuerAssignedId: non-email opaque ID (expected for this IdP)
Sanitized Payload Sample
{
"type": "microsoft.graph.authenticationEvent.attributeCollectionSubmit",
"data": {
"userSignUpInfo": {
"attributes": {
"displayName": "Test User",
"givenName": "Test",
"surname": "User"
},
"identities": [
{
"signInType": "federated",
"issuer": "https://login.live.com<tenant>",
"issuerAssignedId": "<redacted>"
}
]
}
}
}
Business Impact
- Cannot access email inside the custom authentication extension.
- Blocks validation and enrichment scenarios.
- Forces workarounds using incorrect attributes (e.g.
postalCode).
Questions to Microsoft
- Is this expected behavior for federated users?
- Why is
emailexcluded from the payload while other mapped attributes are included? - Is there a supported way to access the federated email in:
-
OnAttributeCollectionStart -
OnAttributeCollectionSubmit
-
We suspect this might be a limitation or bug specific to the email attribute handling in External ID custom authentication extensions, since other mapped attributes behave as expected.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator2026-04-17T15:11:32.7566667+00:00 Hello Yuliia Bashko
Thank you for reaching out to Microsoft Q&A.
It looks like you’ve hit a gap in how Entra External ID surfaces the built-in email attribute in custom auth extension events when you’re doing a federated OIDC sign-up. Here’s the short of it:
• What’s happening
– Your IdP is correctly returning an email claim and you’ve mapped it in your user flow.
– The sign-up UI shows it, but the same email field is deliberately omitted from the payloads for the OnAttributeCollectionStart and OnAttributeCollectionSubmit events.
– You proved it only by mapping it to something else (postalCode), at which point it shows up.
• Why
– At this time, the “email” built-in user attribute in External ID flows is only fully wired through for local (username/password) sign-ups and for token issuance events. It’s not surfaced to the attribute-collection extension hooks for federated flows.
– Basically, email is treated as a “reserved” attribute and isn’t passed along in those two extension event payloads.
• Workarounds
- Map the incoming email claim to a custom or extension attribute (e.g. userDefinedEmail), include it in your user flow, and then read that in your extension.
- Move your logic to the Pre-Token-Generation extension point (the microsoft.graph.authenticationEvent.tokenIssuanceStart event). In that event payload you’ll see all incoming claims (including federated email) in event.data.requestContext.claims.
- As a last resort, after sign-up you could call Microsoft Graph from your extension (with the proper Graph-API permissions) to pull the user’s mail property, but that adds latency and complexity.
Reference docs
- Custom authentication extensions overview https://learn.microsoft.com/azure/api-management/api-management-howto-entra-external-id
- Built-in and custom user attributes in External ID https://learn.microsoft.com/azure/active-directory/external-identities/customers/how-to-define-custom-attributes
- Adding business logic with custom extensions https://learn.microsoft.com/azure/active-directory/external-identities/customers/concept-custom-extensions
Let us know the above steps helps
Thanks
-
Yuliia Bashko 80 Reputation points
2026-04-20T06:59:15.8133333+00:00 The option with custom or extension attribute (e.g. userDefinedEmail) seams great idea.
The problem is I do not understand how I can map email claim to userDefinedEmail, as for me, extension attribute is more about adding additional information about the user using custom extension events. Mapping federated claims is configured on the OIDC provider configuration, and I do not see how to add a custom extension attribute there.
Can you help me here? -
Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator
2026-04-20T15:00:54.02+00:00 Thank you for your reply.
I am checking with the internal team and get back to you shortly.
-
-
Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator
2026-04-21T16:15:20.96+00:00 Thank you for your reply.
Claim mapping (IdP → attributes) and custom authentication extensions are two different plumbing layers, and extension attributes are not populated by extensions — they can be populated before extensions run if wired correctly.
Below is the resolution
What actually works: -
You can map a federated IdP
emailclaim into a custom user attribute (for exampleuserDefinedEmail) without using extensions at all.You do this by:
- Creating a custom user attribute
- Selecting that attribute in the User Flow
- Mapping the IdP claim → that custom attribute in the IdP configuration
- Reading it in
OnAttributeCollectionStart / Submit
This is explicitly supported and is how Microsoft expects you to pass federated values into extension payloads.
Why it is confusing
You’re absolutely right that:
- Extensions feel like the place where “custom attributes” belong
- IdP claim mapping UI doesn’t visually distinguish built‑in vs custom attributes well
But in External ID:
- Extensions do not “create” attributes
- User flows own the attribute schema
- IdP claim mapping can target both built‑in and custom attributes You’re absolutely right that:
- Extensions feel like the place where “custom attributes” belong
- IdP claim mapping UI doesn’t visually distinguish built‑in vs custom attributes well
Below is the solution:-
- Create a custom user attribute
In Microsoft Entra admin center:
External Identities
→ Custom user attributes
→ Add
Example:
Name: userDefinedEmail
Data type: String
2 Add the attribute to your user flow
External Identities
→ User flows
→ Your sign-up/sign-in flow
→ User attributes
Select:
userDefinedEmail
This makes the attribute:
Available to the flow
Writable during sign-up
Available to extensions
3 Map the federated email claim → custom attribute
This is the step you were missing
External Identities
→ Identity providers
→ Your OIDC provider
→ Attribute mapping
Add or update mapping:
IdP claim User attribute emailuserDefinedEmailthe IdP mapping UI allows mapping to any user-flow-enabled attribute, including custom ones.
https://learn.microsoft.com/en-us/entra/external-id/claims-mapping
Read it inside the extension payload
Now your extension will receive it:
"userSignUpInfo": {"attributes": {"displayName": "Test User","givenName": "Test","surname": "User","userDefinedEmail": "user@example.com"}}This works because:
- Custom attributes are not reserved
- Attribute-collection extensions are designed to surface them
Why email behaves differently
Microsoft currently treats email as a protected, system attribute:
Shown in UI - True
Used for account linking -True
Available in token issuance -True
Not exposed to attribute-collection extensions for federated flows -False
This limitation does not apply to:
Custom user attributes
Extension attributes
Token issuance events (tokenIssuanceStart)
What you observed (email appearing when mapped to postalCode) is the expected side effect of this rule.
-
Yuliia Bashko 80 Reputation points
2026-04-22T15:09:11.8566667+00:00 Thanks for the information. I will try it and write back to you.
From time to time, the External Entra ID Api issue occurs
e.g
graph error 404 PATCH https://graph.microsoft.com/beta/identity/identityProviders/xxxx: "error":"code":"AADB2C90063","message":"There is a problem with the service."Portal is glitching too
Can you help me upderstand whats is going on? I have a production release in 2 weeks, and the External Entra ID does not seem to be stable. -
Yuliia Bashko 80 Reputation points
2026-04-23T08:27:42.3666667+00:00 Hi Shubham Sharma
Please write me back -
Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator
2026-04-23T10:24:26.65+00:00 Thank you for your reply.
I am checking with the internal team and i will get back to you shortly.
-
Yuliia Bashko 80 Reputation points
2026-04-23T12:09:05.26+00:00 Shubham Sharma
Returning to claims:
Due to doc https://learn.microsoft.com/en-us/entra/external-id/customers/reference-oidc-claims-mapping-customers
Only default claims can be mapped from oidc provider
As I expected api request failed
-
Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator
2026-04-24T11:08:24.86+00:00 Thank you for your reply.
1. What is going on with the Graph API / portal instability?
Your observed errors
404 / AADB2C90063 – There is a problem with the service
Portal UX glitches while editing External Identities → Identity providers
400 Bad Request with
“The 'identityProviderDelta' field is invalid in request”
What this means (important)
You are calling the Microsoft Graph beta endpoint:
PATCH
https://graph.microsoft.com/beta/identity/identityProviders/{id}Microsoft explicitly treats External ID identity provider management as preview/beta, and beta APIs:
- Have no SLA
- Can change behavior or validation rules without notice
- Often surface generic service errors when the request body violates undocumented constraints
This aligns exactly with:
- intermittent success
- portal + API desync
- opaque service errors
This is expected behavior for beta External ID APIs and not an indication that your tenant is broken.
2. Why your PATCH request fails (root cause)
Your failing mapping (from screenshot)
"inboundClaimMapping": {"email": "email","email_verified": "email_verified","userDefinedEmail": "email","family_name": "family_name",...}Why this is rejected
According to Microsoft documentation:
Only standard OpenID Connect claims can be mapped in OIDC provider claim mapping.
Mapping directly to arbitrary custom attributes is not supported via the OIDC claim mapping schema.
Microsoft Learn clearly lists the only supported mappings:
email
given_name
family_name
name
phone_number
address-related claims and maps them to user flow attributes, not arbitrary Graph user properties.
The mapping table shows fixed OIDC standard claims → user flow attributes. There is no support for mapping directly to extension attributes here.
Why the API error message is misleading
The service internally validates the payload, notices an unsupported mapping target, and fails deep in the identityProvider delta pipeline — resulting in: "The 'identityProviderDelta' field is invalid"
This is not documented, but it is the current service behavior.
3. Key clarification (this removes the confusion)
What does not work
Mapping IdP claims directly to extension/custom attributes via Graph OIDC mapping
Example that fails:
"userDefinedEmail": "email"Below is the supported resolution
The mapping happens via the User Flow schema, not Graph directly
You can map IdP claims → custom attributes
But only after the custom attribute is:
- Created
- Enabled in the user flow
Then the IdP UI/engine allows the mapping.
Microsoft confirms that user flows own the attribute schema, not extensions or Graph patch calls.
https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-define-custom-attributes
Do NOT use Graph PATCH for this
Avoid using /beta/identity/identityProviders for claim mapping changes close to production.
Supported configuration path
Step 1 – Create the custom attribute
External Identities → Custom user attributes → Add → userDefinedEmail (String)
Step 2 – Enable it in the user flow
External Identities → User flows → User attributes → Select userDefinedEmail
This step is mandatory — without it, the attribute is invisible to mappings.
Step 3 – Map using Portal UI
External Identities → Identity providers → OIDC provider → Attribute mapping
Map:
IdP claim: email
User attribute: userDefinedEmail
5. Why email is special
Microsoft treats email as a protected system attribute.
Behavior summary:
Scenario Email available UI prefill ✅ Account creation ✅ Token issuance ✅ AttributeCollection extensions (federated) ❌ Custom attributes ✅ This explains why:
- email →
postalCodeworks - email →
userDefinedEmailworks via user flow - email →
emaildoes not surface in extension events
This is consistent with current platform behavior and not a bug.
-
Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator
2026-04-28T15:49:21.9366667+00:00 Thank you for replying in private message.
The configuration can only be done through the Portal UI, after the attribute is enabled in the user flow.
-
Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator
2026-05-05T07:34:48.3933333+00:00 Following up to see if the provided resolution in private message was helpful. If you have any further queries do let us know.
Sign in to comment
Sign in to answer