Hello, the following claims are available from Azure AD:
- phone: several options (facsimiletelephonenumber, mobilephone, telephonenumber) available using Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview).
- email: This value is included by default if the user is a guest in the tenant. For managed users (the users inside the tenant), it must be requested through this optional claim or, on v2.0 only, with the OpenID scope.
- picture: payload is not available as a claim mostly due size constraints or concerns. This will require an additional system as you already find out. You can obtain the specific MS Graph image endpoint (picture attribute, intended to be accessed only by the authenticated user) querying the OIDC UserInfo endpoint.
- officeLocation: this claim is available using Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview).
Regarding Keycloack configuration, take a look to OIDC token and SAML assertion mappings.
Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.