Azure AD claim transformation to find and replace

siva pokuri 21

I found another thread with same requirement and so just pasting the requirement from that thread as there is no option to reply in that thread to check on latest status-

I am trying to customize the claims issued in the SAML token by Azure AD for single sign on. I am using the following Microsoft documentation:

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

On one claim, I want to perform a Find and Replace transformation. For example:

I need to extract guest user email address from UPN attribute.

I don't see how to do this with the available claims transformation rules in the Azure portal.

How could I perform a Find and Replace in Azure AD for SAML token claims?

Please share any thoughts.

Thanks
Siva Pokuri.

Saurabh Sharma 23,676 Reputation points Microsoft Employee

2021-02-17T00:41:24.06+00:00

@siva pokuri Thanks for using Microsoft Q&A !!
What do you mean by find and replace transformation ? Are you not able to get the required transformation using ExtractMailPrefix(user.userprincipalname) ?
siva pokuri 21 Reputation points

2021-02-17T02:34:52.433+00:00

I tried using that ExtractMailPrefix transformation function it's giving "pokuri86_gmail.com#EXT#" but we want to transform to "pokuri86@Stuff .com"

As mentioned in my question.

We have requirement to extract email address from userprincipalname attribute for guest accounts..

One thing I see its not available is replace _ character with @ to transform the upn of guest accounts.

if we can transform upn value with a regular expression also that would be great.

I don’t find both the options to transform upn value to the guest email address.

Please advice if there is any other way to extract email address from upn and pass it as claim to application.

Thanks
Siva Pokuri
Venkata 146 Reputation points

2023-02-28T03:10:03.6833333+00:00

@siva pokuri I have same requirement, were you able to write transform function to find and replace email id? If so, can you share the steps. Thank you

1 answer

Alfredo Revilla (Personal Account) 391 Reputation points

2021-02-17T17:36:06.11+00:00

Howdy, UPN won't always match the email address, less in this case since it's an external (guest) user account. The best you can do is to just output the mail attribute.

@AmanpreetSingh-MSFT

* If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.*
Please sign in to rate this answer.
siva pokuri 21 Reputation points

2021-02-17T18:10:19.963+00:00

Dear AlfredoRevilla,

Thanks for your response.

I can not go with mail attribute as I have set of internal users with different email address in UPN and mail attributes and it flips my issue to internal users. So, I will have rely on UPN attribute. And some how to read and transform UPN attribute value to email and pass as a claim.

Thanks
Siva Pokuri.

siva pokuri 21 Reputation points

2021-03-02T02:42:13.757+00:00

Hello All,

Found solution for SAML based applications with below transformation. Thanks to Microsoft support!

But, still have to find similar solution for Open ID applications. Appreciate any inputs.
Sign in to comment