question

RyanPatrick-5812 avatar image
1 Vote"
RyanPatrick-5812 asked VegardSandengen-5668 commented

Azure AD - add custom claim to access token

Hello experts,

I have an Azure AD application which I am using to generate a v1.0 access token for use in an external app.

I want to add a custom "prn" claim to the token, which will mirror the value of the default "upn" claim.

I have read through teh article below, but due to my lack of experience am not entirely sure that this is what I am after.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

Before I dive in and see if I can get my head around this article, can anyone confirm that the above is what I need to do to get the custom claim - i.e. using claims mapping policy and a custom signing certificate?

Many thanks,
Ryan

azure-ad-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks, Siva Kumar Selvaraj

0 Votes 0 ·

1 Answer

sikumars avatar image
1 Vote"
sikumars answered VegardSandengen-5668 commented

Hello @RyanPatrick-5812,

Thanks for reaching out.

Yes, you are referring to the right article.

Here are detailed steps for creating AzureAD policy and then assigning them to service principal objects (application) which emits custom "upn" as "prn" claim.

• You must have AzureAD module installed because this can be only done through PowerShell way. If not installed already refer this article to install AzureAD Module.

• Use this cmdlet to create New Azure AD Policy, this would define Basic Claims "userprincipalname" as "prn" .

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"IncludeBasicClaimSet": "true","ClaimsSchema":[{"Source": "user","ID": "userprincipalname","JwtClaimType": "prn"}]}}') -DisplayName "BasicClaimupnPrn-title" -Type "ClaimsMappingPolicy"

• Run the following command to see your newly created policy and copy the policy ObjectId,

Get-AzureADPolicy

• Assign the policy to your service principal. You can get the ObjectId of your service principal from Enterprise applications blade as shown below screenshot.

Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

66393-image.png


• Once policy has successfully assigned, then enable the AcceptMappedClaims to true in the App as shown in the following image:
66404-image.png

Now you should see Basic Claims "department" and "jobTitle" appears in ID_Token (JWT token). Please find below screenshot from my lab for your reference:

id_token (JWT):

101669-image.png

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (45.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This only shows how to get the custom mapped claim in the ID token, not the access token.

In a SPA <-> API scenario, I wish to get my custom claim mapping into the access token of the API App registration, whilst authentication is performed against SPA App registration, with scope against the API client id.

This scenario with a frontend and backend app registration is quite common, even documented as the primary mechanism to achieve this separation. How does one then get access to custom claims in the access token of the backend app registration? I have a custom app registration that hold my user extension properties, akin to documented here, which I wish to map into the access token of my API App registration. What gives?

3 Votes 3 ·

If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote. Thanks

0 Votes 0 ·