Claims Transformation using Graph Api for email attribute

Avinash Banjan 1 Reputation point
2022-11-29T06:53:39.253+00:00

Hi,

We are trying to create enterprise apps and configure SSO for the same via Azure Graph API, wherein we are required to transform the email attribute for e.g original email -- user@mathieu.company .com, expected transformed value -- user@7896.company.com where 7896 is the unique tenant id.

We know how to do this manually via console using claims transformation (ExtractMailPrefix() & Join()). We are implementing this transformation via Graph API,
265024-claimstransformation.jpg

We already explored https://learn.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0 but not able to figure out how to pass a transformed value from ExtractMailPrefix() as an input to the Join().

Please find the code we tried and suggest what can be modified to get the expected output for email attribute.

Help appreciated !

{
"definition":[
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"false\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"userprincipalname\"},{\"Source\":\"user\",\"ID\":\"mail\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"transformation\",\"ID\":\"ExtractPrefix\",\"TransformationId\":\"ExtractThePrefix\",\"SamlClaimType\":\"username_prefix\"},{\"Source\":\"transformation\",\"ID\":\"DataJoin\",\"TransformationId\":\"JoinTheData\",\"SamlClaimType\":\"joined_data\"}],\"ClaimsTransformations\":[{\"ID\":\"ExtractThePrefix\",\"TransformationMethod\":\"ExtractMailPrefix\",\"InputClaims\":[{\"ClaimTypeReferenceId\":\"userprincipalname\",\"TransformationClaimType\":\"mail\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"ExtractPrefix\",\"TransformationClaimType\":\"outputClaim\"}]},{\"ID\":\"JoinTheData\",\"TransformationMethod\":\"Join\",\"InputClaims\":[{\"ClaimTypeReferenceId\":\"mail\",\"TransformationClaimType\":\"string1\"}],\"InputParameters\": [{\"ID\":\"string2\",\"Value\":\"787.company.com\"},{\"ID\":\"separator\",\"Value\":\"@\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"outputClaim\"}]}]}}"
],
"displayName":"Test Claims Policy - Modified Email",
"isOrganizationDefault":false
}

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,563 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Swapnil Maldhure 6 Reputation points Microsoft Employee
    2022-12-01T16:25:12.447+00:00

    Hi @Avinash Banjan

    Following transformation definition should work.

    PATCH/POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/{id}
    {
    "definition": [
    "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"false\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"userprincipalname\"},{\"Source\":\"user\",\"ID\":\"mail\"},{\"Source\":\"transformation\",\"ID\":\"DataJoin\",\"SamlClaimType\":\"new_username\",\"transformationId\":\"ExtractThePrefix\"}],\"ClaimsTransformations\":[{\"ID\":\"ExtractThePrefix\",\"TransformationMethod\":\"ExtractMailPrefix\",\"InputClaims\":[{\"ClaimTypeReferenceId\":\"userprincipalname\",\"TransformationClaimType\":\"mail\"}],\"OutputClaims\":[{\"TransformationClaimType\":\"outputClaim\",\"NextTransform\":\"JoinTheMail\"}]},{\"ID\":\"JoinTheMail\",\"TransformationMethod\":\"Join\",\"InputParameters\":[{\"ID\":\"string2\",\"Value\":\"787.company.com\"},{\"ID\":\"separator\",\"Value\":\"@\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"outputClaim\"}]}]}}"
    ],
    "displayName":"Test Claims Policy - Modified Email",
    "isOrganizationDefault": false
    }

    1 person found this answer helpful.
    0 comments