Share via

Azure AD Claims Transformation of UPN

Anonymous
2023-02-02T23:24:00.8433333+00:00

I have a scenario where I have a user with 2 accounts used for federation:

  1. standard user with mailbox (UPN format ******@company.com)
  2. admin user with no mailbox. (UPN format is ******@company.com)

I need to build a SAML claim that provides:

  1. Required claims: Unique User Identifier (Name ID) value is user.userprincipalname (Admin Account UPN)
  2. Additional claims: email value is user.userprincipalname (Admin account UPN with -a removed)

I need the transform rule to replace "-a@" and with "@". How do I accomplish this?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 8,421 Reputation points Microsoft Employee Moderator
    2023-02-06T10:21:52.1566667+00:00

    Hello @Chris Meisner

    Thank you for reaching out. I would like to inform you that you can use RegExReplace transformation type in claim transformation rule to transform UPN from ******@contoso.com to ******@contoso.com as listed in below screenshot.

    User's image

    You can modify the pattern as per you requirement and test he claim transformation on Azure Portal itself before saving the rule.

    For more information you can review following details: Customize claims issued in the SAML token for enterprise applications.

    I hope this answer helps to resolve your issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.