Adding custom claims to JWT token for App Registration using ClaimsMappingPolicy (OIDC Auth Code Flow)

Question

Adding custom claims to JWT token for App Registration using ClaimsMappingPolicy (OIDC Auth Code Flow)

Matt Rasmussen 0

This article shows the process I am familiar with when adding a custom claim such as EmployeeID to the JWT token that is passed in the OIDC auth code flow: https://learn.microsoft.com/en-us/answers/questions/260800/custom-static-claim-in-jwt-token

However Claims mapping policies link referred to on this post above no longer contains information on how to add the claim via the claims mapping policy in Azure AD Powershell. In fact it redirects to information on SAML now. This change to the documentation occurred right around the end of January.

It doesn't appear that Microsoft has deprecated this functionality, so is there a reason this information has been removed from the learn.microsoft.com portal?

Thanks

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-03-31T18:01:29.21+00:00

@Matt Rasmussen

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-03-31T18:01:29.21+00:00

@Matt Rasmussen

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello @Matt Rasmussen , claims mapping policy PowerShell samples used the Azure AD PowerShell module which is being replaced by the Microsoft Graph PowerShell SDK. You can find samples for the latter in the Microsoft Graph documentation. Go to the Examples section and select the PowerShell tab for any.

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	Definition = @(
		"{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ID":"userprincipalname","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"},{"Source":"user","ID":"givenname","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"},{"Source":"user","ID":"displayname","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"},{"Source":"user","ID":"surname","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"},{"Source":"user","ID":"userprincipalname","SamlClaimType":"username"}],"ClaimsTransformation":[{"ID":"CreateTermsOfService","TransformationMethod":"CreateStringClaim","InputParameters": [{"ID":"value","DataType":"string", "Value":"sandbox"}],"OutputClaims":[{"ClaimTypeReferenceId":"TOS","TransformationClaimType":"createdClaim"}]}]}}"
	)
	DisplayName = "Test1234"
}

New-MgPolicyClaimMappingPolicy -BodyParameter $params

Alternatively you can use the Azure Portal UI as detailed in Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview)

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing similar issues can more easily find a solution.

Matt Rasmussen 0 Reputation points

2023-03-23T17:47:12.69+00:00

Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , thank you for the response.

When will Azure AD PowerShell module be replaced? Will existing claims mapping policies done through that old method continue to work after this switch? Or will new policies need to be added?

We have not seen success from our clients in adding additional claims through the Azure UI as documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-jwt-claims-customization but this may be just improper implementation of it.

Judging by that documentation, it seems as though the process to add EmployeeID to the JWT token would be as follows:

Name: employeeid (would this be similar to the JWTClaimType value from the claims mapping policy, and would this be the value the SP needs to map on their end?)

Source Attribute: Would this dropdown contain all of the available attributes as listed under Table 3: Valid ID values per source on this page https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-claims-mapping-policy-type

Any information would be greatly appreciated.

Thanks
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-03-24T01:28:07.1233333+00:00

Hi @Matt Rasmussen . Azure AD Powershell is planned to be deprecated on June 30, 2023 so the sooner you move to Microsoft Graph PowerShell the better. Can you share your additional claims customization? Regarding employeeid this would be the claimSchema: {"JwtClaimType":"employeeid","Source":"user","ID":"employeeid"}
Matt Rasmussen 0 Reputation points

2023-06-05T20:50:53.9766667+00:00

So adding this claim to Attributes & Claims section of the enterprise applications blade as such. And then the service provider is mapping to the "employeeid" claim. But the missing piece which I couldn't find in the Azure documentation was that you need to also edit the app registration Manifest to set AcceptMappedClaims = True Only once that was done, would this work.

Share via

Adding custom claims to JWT token for App Registration using ClaimsMappingPolicy (OIDC Auth Code Flow)

1 answer

Your answer