AzureAD claim transformation with ExtractMailPrefix - native app - how to?

Krzysztof Kwiatkowski 1 Reputation point
2021-03-02T14:30:17.82+00:00

Hi, I am working on SSO configuration for a web application that can only accept username without the @keyman and the value is also stored in onpremisessamaccountname.

We authenticate the users using the UPN and I am struggling with creating Claim that can return the upn value without @keyman .com.

Where for enterprise applications we can do ExtractMailPrefix in the SAML config, but for this specific requirement enterprise application is not an option.

We tried transformation but we are unable to figure out the logic..

Here is an example claim transformation from MS Docs but this example shows Join option:

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"extensionattribute1"},{"Source":"transformation","ID":"DataJoin","TransformationId":"JoinTheData","JwtClaimType":"JoinedData"}],"ClaimsTransformations":[{"ID":"JoinTheData","TransformationMethod":"Join","InputClaims":[{"ClaimTypeReferenceId":"extensionattribute1","TransformationClaimType":"string1"}], "InputParameters": [{"ID":"string2","Value":"sandbox"},{"ID":"separator","Value":"."}],"OutputClaims":[{"ClaimTypeReferenceId":"DataJoin","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "TransformClaimsExample" -Type "ClaimsMappingPolicy"

Can someone let us know if what we are trying to achieve is possible with AzureAD?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,597 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Andrewartha 1 Reputation point
    2022-05-25T03:18:22.823+00:00

    I have made this work: 

    New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"userprincipalname"},{"Source":"transformation","ID":"ExtractPrefix","TransformationId":"ExtractThePrefix","JwtClaimType":"username_prefix"}],"ClaimsTransformations":[{"ID":"ExtractThePrefix","TransformationMethod":"ExtractMailPrefix","InputClaims":[{"ClaimTypeReferenceId":"userprincipalname","TransformationClaimType":"mail"}],"OutputClaims":[{"ClaimTypeReferenceId":"ExtractPrefix","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "Username Prefix Extraction Claims Mapping Policy" -Type "ClaimsMappingPolicy"

    and submitted a doc update request: https://github.com/MicrosoftDocs/azure-docs/issues/93415

    0 comments