How to add specific JSON OptionalClaims

Jesus Guzman 41 Reputation points
2021-03-10T21:36:14.903+00:00

Hi all! I have an API that works fine, when I authenticate my users. But, I need to add specific optional claims, to allow me to direct users into the application, based in the claims of: Office, Job Title and Department. I have to edit this in the manifest, because I don't see the optional claims listed in the web portal. Unfortunately, this goes beyond my limited knowledge as I am not an experienced developer. I ventured to try adding the Claims I've found in some links, but I am not entering the right stuff. I did add one optional claim to get the last authentication time, but I am not sure if this section is the right one to enter the claims I need; Office, Job Title and Department or what to enter to make it happen:

"optionalClaims": {
"idToken": [
{ "name": "auth_time",
"source": null,
"essential": false,
"additionalProperties": [] }
],
"accessToken": [],
"saml2Token": []

Any guidance is appreciated.

J.Guzman

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,769 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,564 questions
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,551 Reputation points
    2021-03-11T21:26:28.563+00:00

    Hello @Jesus Guzman ,

    Thanks for reaching out.

    Basic Claims (like: "department" and "jobTitle") can be configured by using "Claims mapping policies", but "officeLocation" claim is not supported, refer this article to see list of supported claims .

    Please find below detailed steps for creating AzureAD policy and then assigning them to service principal objects.

    • You must have AzureAD module installed because this can be only done through PowerShell way. If not installed already refer this article to install AzureAD Module.

    • Use this cmdlet to create New Azure AD Policy, this would define Basic Claims "department" and "jobTitle" 

       New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"IncludeBasicClaimSet": "true","ClaimsSchema":[{"Source": "user","ID": "department","JwtClaimType": "department"},{"Source": "user","ID": "jobTitle","JwtClaimType": "jobTitle"}]}}') -DisplayName "BasicClaimDepartment-title" -Type "ClaimsMappingPolicy"

    • Run the following command to see your newly created policy and copy the policy ObjectId, 

       Get-AzureADPolicy

    • Assign the policy to your service principal. You can get the ObjectId of your service principal from Enterprise applications blade as shown below screenshot. 

       Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

    66393-image.png

    • Once policy has successfully assigned, then enable the AcceptMappedClaims to true in the App as shown in the following image:
    66404-image.png

    Now you should see Basic Claims "department" and "jobTitle" appears in ID_Token (JWT token). Please find below screenshot from my lab for your reference:

    id_token (JWT):
    76839-image.png

    Hope this helps.

    ------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jesus Guzman 41 Reputation points
    2021-03-11T22:48:44.92+00:00

    Hello Sikumars!

    First, thank you for taking your time to suggest this walkaround. I believe it has shed light to what I need to do. The "OfficeLocation" claim is not correct, as you are stating. I need "Office" which I do believe can be used along with the other two. I am going to follow this and add the "office" claim and keep you posted.

    Regards,

    J.Guzman