Search code examples
azureazure-active-directorykeycloakkeycloak-serviceskeycloak-connect

Keycloak: Map email from Azure AD to auto created Keycloak Users

I have added the Microsoft Active Directory as an identity provider as shown below

enter image description here

and configured the Authentication flow to automatically create the user(s)

enter image description here

Mapper is configured to Map the user to a Role based on the claims

enter image description here

Everything works till this part, Users are getting created/added automatically

enter image description here

However, Email column is empty.

I want to automatically populate the Email, so added the required claims in Azure AD as shown below

enter image description here

and I see the optionally added claims(i.e. preferred_username & upn) in the ID JWToken

enter image description here

I tried to map the Claim to the user profile/attribute as shown below

enter image description here

However the "Email" column is not getting populated or updated any other attributes

enter image description here

What should I do to automatically create the user along with his/her Email populated?

Solution

  • the preferred_username claim is a part of the profile scope, do you have it in the list of scopes in your IDP configuration? e.g. Scopes list

    Also, you may use the standard scope email, then the claim email will be available in Keycloack.