Azure AD Claims Transformation of UPN

Chris Meisner 10 Reputation points
2023-02-02T23:24:00.8433333+00:00

I have a scenario where I have a user with 2 accounts used for federation:

  1. standard user with mailbox (UPN format ******@company.com)
  2. admin user with no mailbox. (UPN format is ******@company.com)

I need to build a SAML claim that provides:

  1. Required claims: Unique User Identifier (Name ID) value is user.userprincipalname (Admin Account UPN)
  2. Additional claims: email value is user.userprincipalname (Admin account UPN with -a removed)

I need the transform rule to replace "-a@" and with "@". How do I accomplish this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,148 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Harpreet Singh Matharoo 8,321 Reputation points Microsoft Employee
    2023-02-06T10:21:52.1566667+00:00

    Hello @Chris Meisner

    Thank you for reaching out. I would like to inform you that you can use RegExReplace transformation type in claim transformation rule to transform UPN from ******@contoso.com to ******@contoso.com as listed in below screenshot.

    User's image

    You can modify the pattern as per you requirement and test he claim transformation on Azure Portal itself before saving the rule.

    For more information you can review following details: Customize claims issued in the SAML token for enterprise applications.

    I hope this answer helps to resolve your issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.