We have two custom policies written for our application - verify_email and signup_sign_in policies. We send a welcome email out (we do not use otp to verify email during sign up) to user with a link to the verify_email custom policy. The link contains a id_token hint signed by our certificate and the verify_email grabs the user principal from the id_token, gets the user from AAD, update the email_verified custom attribute then redirects the user to the application. This is a seamless process that doesn't show any UI to the user. The application will not recognize the tokens bec the tokens came from the verify_email policy so it will redirect the user to the sign_up_sign_in policy in adb2c and adb2c will see the current user session created by the verify_email policy and will redirect the user back to application with the claims needed without requiring the user to explicitly login.
What I have been seeing is half of the time, the sign_up_sign_in policy will not get the latest value of the email_verified claim that was recently updated. It seems like there is a delay that when you write the claim to azure ad, then read it sometimes what you get is the old value. Is there something that can be done regarding this lag to make sure I get the proper value all the time? Thanks in advance.
This is due to replication delay in the regionally replicated DC infrastructure. There is nothing you can do to influence this delay. You need to consider this as part of your workflows/design - eg, sign the user in using the id token hint journey, don’t ask the user to login again instantly. In this journey you’ll have all the up to date claims.