Not Getting object Id for claim policy using Get-AzureADPolicy command in power shell.

thomas magami 21 Reputation points
2022-09-21T19:27:43.4+00:00

I have added a new claim policy using the New-AzureADPolicy command. I can see my policy but objectid field is empty. I need the object Id of my newly created policy so I can map it with my service principal.

Anybody here has any idea what I'm doing wrong?

PS C:\> Get-AzureADPolicy

ObjectId DisplayName Type Definition


FHIRUserClaim ClaimsMappingPolicy {<!-- -->{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ID":"extensionAtt...
OmitBasicClaims ClaimsMappingPolicy {<!-- -->{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"false"}}}

243631-image.png

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
776 questions
{count} votes

Accepted answer
  1. Olga Os - MSFT 5,826 Reputation points Microsoft Employee
    2022-09-21T20:57:44.367+00:00

    Hello @thomas magami ,

    Welcome to the Q&A MS Forum.

    I just tested this command in the Windows PowerShell ISE and got the object Id in the output. Meanwhile, you could see from my screenshot I didn't use directory extensions attributes in the claim.

    243624-image.png

    Can you test if you will get object id by creating the test policy with the below script:

    $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"  
    

    Are you able to share the script what you used to create the Policy? I'd like to test on my side.

    If you run your script in AzureAD module, could you test with uninstalling it and installing AzureADPreview?

    Update: just tested with the creating new Policy using directory extensions attributes and objectId was returned for it too.

    Below is the script what I used during my testing:

    Install-Module -Name Microsoft.Graph -RequiredVersion 1.2.0  
      
    Import-Module Microsoft.Graph.SchemaExtensions  
      
    Connect-MgGraph -TenantId "XXXX.onmicrosoft.com" -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Application.ReadWrite.All", "Directory.AccessAsUser.All", "Directory.ReadWrite.All"  
      
    Get-MgContext   
      
    # After authenticating, I created a new, empty ArrayList  
    $SchemaProperties = New-Object -TypeName System.Collections.ArrayList  
    # define our keys and the types  
    $prop1 = @{  
    'name' = 'costcenter';  
    'type' = 'String';  
    }  
    $prop2 = @{  
    'name' = 'pin';  
    'type' = 'Integer';  
    }  
      
    # and add them to the SchemaProperties  
    [void]$SchemaProperties.Add($prop1)  
    [void]$SchemaProperties.Add($prop2)  
      
    # Created the new schema extension for the resource User. Our Azure AD app is the owner.  
    $SchemaExtension = New-MgSchemaExtension -TargetTypes @('User') -Properties $SchemaProperties  -Id 'myapp1' -Description 'my organization additional user properties'  -Owner "xxxxxxx"  
    
    # Check the new schema extension:  
    Get-MgSchemaExtension -SchemaExtensionId $SchemaExtension.Id | fl  
    #use appId as an owner  
    Update-MgSchemaExtension -SchemaExtensionId $SchemaExtension.Id `  
        -Status 'Available' `  
        -Owner "xxxxxx"  
      
    New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"YourExtensionID","SamlClaimType":"team_id","JwtClaimType":"MyCustomClaim1"},{"Source":"user","ID":"YourExtensionID","SamlClaimType":"team_id","JwtClaimType":"MyCustomClaim2"}]}}') -DisplayName "ExtensionAttributeMapping" -Type "ClaimsMappingPolicy"  
      
    Get-AzureADPolicy  
    

    Sincerely,
    Olga Os

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. thomas magami 21 Reputation points
    2022-09-21T22:27:14.493+00:00

    Hello @Olga Os - MSFT ,

    Thank you for your response. I have tried installing and uninstalling azureADPreview module multiple time. Still no luck!

    Here is the output for your command. Policy is generated with no objectid.
    243693-image.png

    I used this command to creat policy and I can't see the objectID (Please see the SS in original question)

    New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"false","ClaimsSchema": [{"Source":"user","ID":"extensionAttribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/fhirUser","JwtClaimType":"fhirUser"}]}}') -DisplayName "FHIRUserClaim24" -Type "ClaimsMappingPolicy"