ADFS custom claim rule configuration in Azure AD

Satheesh Kumar S 1 Reputation point
2022-03-30T18:41:53.853+00:00

Could someone help me on how to implement the same ADFS custom claim rule configured for an application in Azure AD.

Example: How to setup the below custom claim rule in Azure Attributes & Claims for an application,

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY", Value = "x"] => add(store = "Active Directory", types = ("employeeid"), query = ";employeeid;{0}", param = c.Value);

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,447 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-03-30T20:31:31.753+00:00

    You do not need to send the employeeId attribute as a claim.

    You can synchronize it with Azure AD Connect. Run the Azure AD Connect wizard, then pick Customize synchronization options. In Optional Features, check Azure AD app and attribute filtering. Then in the Azure AD Attributes, make sure you export the attribute you want to use in Azure AD.

    Then in the Azure AD portal, you can go the Enterprise App you want to send the employeeId to. Then select the Single sign-on blade and got to the Attributes and Claims section and click Edit:
    188533-image.png
    Then click Add new claims, and pick the following:
    188529-image.png

    Does this help?

    0 comments
  2. Satheesh Kumar S 1 Reputation point
    2022-03-31T12:52:07.373+00:00

    @Pierre Audonnet - MSFT Thank you for your reply. Will check with the Azure AD connect wizard part. For now I have configured for the employeeId.

    Here we are having the application where it checks for the employeeid and queries the groups (Member Of) assigned to the users and authorizes based on it,

    Below is in ADFS custom claim rule,

    Pull memberOf, add to working set “phase 1”

    c:[Type == "employeeid"] => add(store = "NewCVCAuth", types = {'phase1"}, query = "employeeid={0};MemberOf", param = c.Value);

    Drop everything after the first comma, add to working set “phase 2”

    c:[Type == "phase1"] => add{Type = "phase2", Value = RegExReplace(c.Value, "/[^\n]*", ""));

    Remove CN

    c:[Type == "phase2"] => issue(Type = "group", Value = RegExReplace(c.Value, "^CN=", ""));

    Send groups:

    c:[Type == "group", Value =~ "(group1|group2|group3|group4)"]

    How can we pass this in Azure Attributes & Claims?

    Note: Refer "https://social.technet.microsoft.com/wiki/contents/articles/16161.ad-fs-2-0-using-regex-in-the-claims-rule-language.aspx" - Real world Examples Problem 1

    0 comments
  3. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-03-31T18:37:12.177+00:00

    You can send group info directly from the same interface (we can filter there too but you don't have too because you can allow the access to the app based on certain group too):

    188915-image.png

    And you can filter the access base on a group too. In the Properties page on the app, enable the Assignment required option:
    188859-image.png

    Then you can associate the groups (requires Azure AD P1 license I think) or users directly in the Users and groups blade:

    188879-image.png

    0 comments