question

som avatar image
0 Votes"
som asked ·

inlcude onpemise samaccount in azure ad claims

I was going through this https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims. i have happy that i can get oppremise sid.
Now i also wanted to inlcude the onpremisesameaccount as part of claim.
I know i can get it using graph api https://graph.microsoft.com/v1.0/me/?$select=userPrincipalName,onPremisesSamAccountName
but i wanted to use it as part of claims token generated by azure ad inself.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@som,
Yes, you can add the onPremisesSamAccount name to the claims and send it within an access token.

You can follow the steps mentioned below:

  1. Create an AzureADPolicy.




     New-AzureADPolicy -Definition @('{
                         "ClaimsMappingPolicy": {
                             "Version": 1,
                             "IncludeBasicClaimSet": "true",
                             "ClaimsSchema": [{
                                     "Source": "user",
                                     "ID": "employeeid",
                                     "SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",
                                     "JwtClaimType": "employeeid"
                                 },
                                 {
                                     "Source": "user",
                                     "ID": "mail",
                                     "SamlClaimType": "http://schemas.microsoft.com/identity/claims/emailaddress",
                                     "JwtClaimType": "mail"
                                 },
                                 {
                                     "Source": "user",
                                     "ID": "onpremisessamaccountname",
                                     "SamlClaimType": "samaccountname",
                                     "JwtClaimType": "samAccountName"
                                 },
                                 {
                                     "Source": "user",
                                     "ID": "department",
                                     "SamlClaimType": "http://schemas.microsoft.com/identity/claims/department",
                                     "JwtClaimType": "department"
                                 }
                             ]
                         }
                     }') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"
    

    1. Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.

      Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}

    2. To check if the policy is successfully added to the ServicePrincipal or not:

      Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"

    3. Next you can use the Authorization Code flow of OAuth2.0 and request for a code from AAD.

    4. Once you have the code, use the code to request for an access token from AAD for the above app on whose ServicePrincipal the AzureADPolicy was added. [I used POSTMAN tool to test the same]
      alt text

    5. Once you get the Access Token use https://jwt.ms to see the decoded JWT and you should see the SamAccountName listed in it as claims.
      alt text





Hope this helps.


Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!


postmansnip.png (136.7 KiB)
claims.png (68.0 KiB)
· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@som, Just wanted to check if the above response helped in answering your query or not. If it did, it would be great if you can mark the response as "Answered", so that it helps others with similar issues visiting the community.

Also, if there are any more queries around this, please feel free to share the same with us so that we can help you better.

0 Votes 0 ·