docs: Email not required for external IdP sign-up#1980
Open
nanguil wants to merge 2 commits into
Open
Conversation
Add new section to OIDC federation article documenting how to make email not required for sign-up with external identity providers. Update claims mapping reference to reflect email can be optional. Related: AB#3293175 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
@nanguil : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
Contributor
|
Learn Build status updates of commit 4bc1ae7: ✅ Validation status: passed
For more details, please refer to the build report. |
Contributor
PRMerger Results
|
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Learn Build status updates of commit 2b87cc4: ✅ Validation status: passed
For more details, please refer to the build report. |
Contributor
PRMerger Results
|
nanguil
changed the title
Contributor
|
Hi @nanguil - This pull request was opened in the public repo. PMs should work in the private repo, per the Microsoft Docs contributor guide. We can keep this PR open for review and merge, but would you make future content updates in the private repo? Thank you! Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds documentation for making the email claim optional during external OpenID Connect (OIDC) identity provider (IdP) sign-up in Microsoft Entra External ID, and updates related claim-mapping guidance.
Changes:
- Adds a new “Make email optional for external IdP sign-up” section with Microsoft Graph steps and MFA/limitation notes.
- Updates the OIDC claims mapping reference to clarify
emaildefault requirements and the impact of making email optional.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| docs/external-id/customers/how-to-custom-oidc-federation-customers.md | Adds new guidance for configuring email as optional in a user flow via Microsoft Graph, plus related MFA and limitations notes. |
| docs/external-id/customers/reference-oidc-claims-mapping-customers.md | Updates email / email_verified claim descriptions to reflect optional-email configuration behavior. |
| - Given name | ||
| - Family name | ||
| - Email (required) | ||
| - Email (required by default; can be [made optional](how-to-custom-oidc-federation-customers.md#make-email-optional-for-external-idp-sign-up)) |
Comment on lines
+113
to
+115
| ## Make email optional for external IdP sign-up | ||
|
|
||
| By default, an email address is required when users sign up with an external identity provider. If your external IdP doesn't emit an email claim, users encounter the error `AADSTS901011: No email address was obtained from the external oidc identity provider` during sign-up. To avoid this error, you can configure your user flow to make the email attribute optional. This allows users to complete sign-up using only their external IdP identity, without providing an email address. |
Comment on lines
+113
to
+115
| ## Make email optional for external IdP sign-up | ||
|
|
||
| By default, an email address is required when users sign up with an external identity provider. If your external IdP doesn't emit an email claim, users encounter the error `AADSTS901011: No email address was obtained from the external oidc identity provider` during sign-up. To avoid this error, you can configure your user flow to make the email attribute optional. This allows users to complete sign-up using only their external IdP identity, without providing an email address. |
|
|
||
| ## Make email optional for external IdP sign-up | ||
|
|
||
| By default, an email address is required when users sign up with an external identity provider. If your external IdP doesn't emit an email claim, users encounter the error `AADSTS901011: No email address was obtained from the external oidc identity provider` during sign-up. To avoid this error, you can configure your user flow to make the email attribute optional. This allows users to complete sign-up using only their external IdP identity, without providing an email address. |
Comment on lines
+32
to
+33
| |email (required by default)|Email|Preferred e-mail address. Email is required by default, but you can [make it optional](how-to-custom-oidc-federation-customers.md#make-email-optional-for-external-idp-sign-up) for external IdP sign-up scenarios.| | ||
| |email_verified|N/A|Indicates whether the identity provider has verified the end-user's e-mail address. `true` means the identity provider took affirmative steps to ensure the e-mail address was controlled by the end-user at the time the verification was performed. When email is required (the default), a verified email is needed for account creation — if `email_verified` is false, missing, or not mapped, account creation fails. If you've [configured email as optional](how-to-custom-oidc-federation-customers.md#make-email-optional-for-external-idp-sign-up), this claim is not required for account creation.| |
Comment on lines
+32
to
+33
| |email (required by default)|Email|Preferred e-mail address. Email is required by default, but you can [make it optional](how-to-custom-oidc-federation-customers.md#make-email-optional-for-external-idp-sign-up) for external IdP sign-up scenarios.| | ||
| |email_verified|N/A|Indicates whether the identity provider has verified the end-user's e-mail address. `true` means the identity provider took affirmative steps to ensure the e-mail address was controlled by the end-user at the time the verification was performed. When email is required (the default), a verified email is needed for account creation — if `email_verified` is false, missing, or not mapped, account creation fails. If you've [configured email as optional](how-to-custom-oidc-federation-customers.md#make-email-optional-for-external-idp-sign-up), this claim is not required for account creation.| |
| |family_name|Last Name|Surname(s) or family name of the end-user.| | ||
| |email (required)|Email|Preferred e-mail address.| | ||
| |email_verified|N/A|In the received ID token, the value of this claim is true if the end-user's e-mail address has been verified by the identity provider; otherwise, false. When this claim value is true, this means that your identity provider took affirmative steps to ensure that this e-mail address was controlled by the end-user at the time the verification was performed. If this claim value is false or not mapped to any claim from the identity provider, the user will not be able to create an account. A verified email address is required for account creation. If the email is missing or unverified, an error message appears.| | ||
| |email (required by default)|Email|Preferred e-mail address. Email is required by default, but you can [make it optional](how-to-custom-oidc-federation-customers.md#make-email-optional-for-external-idp-sign-up) for external IdP sign-up scenarios.| |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds documentation for the Email not required for External IdP signups feature.
Changes
Preview URLs
Related