Share via

Azure AD Token Customization

Dinesh Prajapati 126 Reputation points
2024-05-30T04:44:09.07+00:00

I have registered an application in azure ad through which I am getting the token which is used for authentication. I have added some app roles to the application which is mapped at group level in enterprise application. While decoding the token in jwt.ms, I checked that the approles are coming as

roles: [ "rolea",

"roleb"]

But as per my requirement I want the role to come as

"[http://schemas.microsoft.com/ws/2008/06/identity/claims/role":] [     "rolea",     "roleb"]

How can I achieve this. I checked online related to creation of optional claim in token configuration but that did not made any change in the token.

Can someone help me on this.
Also I want to add two more extra template as
"[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":] "first_name",   "[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":] "last_name"

How can I do this?

I also tried to update this directly in manifest file for the token, but did not made any change.

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,655 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 34,336 Reputation points Volunteer Moderator
    2024-05-30T09:19:25.02+00:00

    In the manifest file for your application you need to update the claims.

    If adding roles under custom claim does not work directly, consider creating a policy using Azure AD B2C (if you are using it). Policies allow more granular control over token issuance.

    Refer to the official Azure AD B2C documentation for creating and managing custom policies:

    Azure AD B2C custom policies

    For your requirements, the manifest update should look something like this:

    
{

  "optionalClaims": {

    "idToken": [

      {

        "name": "roles",

        "source": null,

        "essential": false,

        "additionalProperties": [

          {

            "source": "group",

            "value": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

          }

        ]

      },

      {

        "name": "given_name",

        "source": null,

        "essential": false,

        "additionalProperties": [

          {

            "value": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

          }

        ]

      },

      {

        "name": "surname",

        "source": null,

        "essential": false,

        "additionalProperties": [

          {

            "value": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

          }

        ]

      }

    ]

  }

}
    1 person found this answer helpful.
  2. Navya 20,490 Reputation points Microsoft External Staff Moderator
    2024-05-31T15:10:15.81+00:00

    Hi @Dinesh Prajapati

    Thank you for posting this in Microsoft Q&A.

    I understand that you're trying to modify the claims that are included in the JWT token that is generated by your Azure AD application. Specifically, you want to include the app roles as a claim with the http://schemas.microsoft.com/ws/2008/06/identity/claims/role type, and you want to add two additional claims for the user's first name and last name.

    Your app gets roles claim in your token (ID token for app, access token for APIs) with all the signed-in user's assigned roles as shown in the following token example.

    User's image

    For your reference: https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#groups-and-app-roles

    Within the SAML tokens, these claims have come the following URI format: http://schemas.microsoft.com/identity/claims/<attributename>

    To get claims in this formathttp://schemas.microsoft.com/ws/2008/06/identity/claims/role.Please follow the below steps:

    1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
    2. Browse to Identity > Applications > Enterprise applications > All applications.
    3. Select New application > create your application > Enter name of the application > Select non-gallery app > Click on create.
    4. Select the application, select Single sign-on in the left-hand menu, and then select Edit in the Attributes & Claims section.

    By default, the Microsoft identity platform issues a SAML token to an application that contains a claim with a value of the user's username (also known as the user principal name), which can uniquely identify the user. The SAML token also contains other claims that include the user's email address, first name, and last name.

    You can add new claim as per your requirement. For more information, please refer this document: Customize SAML token claims

    User's image

    To Test this application > Enterprise application > select your application > Single sign-on > Click on test this application. Once this is done, your enterprise application will receive claims which you configure.

    User's image

    In the user profile, make sure to include the property values, such as the surname and given name. If the user profile does not contain the values, you will not receive the claims in the SAML token.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.