This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 24%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I'm trying to use Azure AD as an identity provider for my application (using Auth0 as the service provider). To that end, I've created a connection to Auth0 using the SAML protocol.
Next, I wish to include in the SAML response that is sent to Auth0 on user authentication a custom attribute (call it 'myAppRoles') that I'd assigned to the user. This custom attribute includes the role that the user will have in my application – i.e. it is some string that is only relevant within the context of my application. I'd managed to achieve this by extending the directory via the Graph API and mapping it to a SAML claim from within the Azure portal.
Finally, what I need is to be able to attach said custom attribute to a group, so that the custom attribute will then be automatically attached to every member of that group. To clarify, say I assign 'myAppRoles' attribute to some group, I wish for every member of that group will have the same 'myAppRoles' value. Ideally, I would like for an aggregate of all the values from the various groups that a user might be a member of to be attached to said user.
I found nothing on my use case online. I would love to know if it's achievable, and if not – what might be the best way to assign a custom attribute to (batches of) users in a way that is idiomatic to Azure AD?
I've ended up finding the solution in the following article.
Basically, I can do the exact thing that I needed by creating custom roles for my app. Then, I can assign those custom roles to individual users, or to entire groups.
Just like the article states, I map a custom claim to the user's 'assignedRoles' attribute, and all values for those custom roles are sent over the SAML response.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!
Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)",
I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)" the answer.
As per your query you have fixed the issue by following below article,
Basically, you can do the exact thing that you needed by creating custom roles for my app. Then, you can assign those custom roles to individual users, or to entire groups.
Just like the article states, you can map a custom claim to the user's 'assignedRoles' attribute, and all values for those custom roles are sent over the SAML response.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.