Azure AD custom Attribute(onpremise exgtension attrbiute)

Question

Azure AD custom Attribute(onpremise exgtension attrbiute)

Nitish Sharma 441

I am working on a solution for a client where they want to Azure AD SSO authentication so we have implemented that using Application Registration and doing an interactive authentication. Now they are looking to fetch certain on-premises attribute as part of access token which are synced up from On-Prem to Azure AD. An access claim policy has been setup for that app registration so that we are able to get the value in access token but it doesn't seem to be working.

In app registration manifest file we have set acceptMappedClaims to true but that's not helping.

I have gone through multiple documentation but a clear solution is not available anywhere and i have tried a mix of solution but nothing has worked so far.

Rafael da Rocha 5,251 Reputation points

2023-08-11T11:52:23.46+00:00

Hello @Nitish Sharma , are the claims present on a Fiddler capture? This would help understand if the issue is on the IdP or application side.

This article, even if not specific for Azure, shows how to user Fiddler:
https://support.pingidentity.com/s/article/PingOne-How-do-I-use-Fiddler-to-Troubleshoot-PingOne-Issues
Nitish Sharma 441 Reputation points

2023-08-11T13:32:42.5633333+00:00

I am using below scopes to capture the token:
string[] scopes = new[] { "https://graph.microsoft.com/.default", "openid"}

Claims are not appearing in fiddler capture.

Accepted answer

1 additional answer

Your answer

Rafael da Rocha 5,251 Reputation points

2023-08-11T11:52:23.46+00:00

Hello @Nitish Sharma , are the claims present on a Fiddler capture? This would help understand if the issue is on the IdP or application side.

This article, even if not specific for Azure, shows how to user Fiddler:
https://support.pingidentity.com/s/article/PingOne-How-do-I-use-Fiddler-to-Troubleshoot-PingOne-Issues
Nitish Sharma 441 Reputation points

2023-08-11T13:32:42.5633333+00:00

I am using below scopes to capture the token:
string[] scopes = new[] { "https://graph.microsoft.com/.default", "openid"}

Claims are not appearing in fiddler capture.

Answer 1

@Nitish Sharma

To get the on-premises attribute in access token, first you will have to sync that particular attribute to Azure AD. If it is custom attribute in on-premises then you will have to use the AD connect directory extension and sync the custom attribute to Azure AD using AD connect.

You can refer below article to sync the custom attribute using AD connect.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions

Once you have the attribute synced to Azure AD, you will have to create a claim policy in Azure and link the policy to corresponding service principal of the application registered.

In the claim policy you will have to configure the claims which needs to be sent in access token.

You can follow below steps to configure the policy and link it to corresponding service principal.

In below example consider sending attribute "onPremisesSamAccount name" from Azure AD as claim in access token.

you can add the onPremisesSamAccount name to the claims and send it within an access token.

You can follow the steps mentioned below:

Create an AzureADPolicy.

New-AzureADPolicy -Definition @('{
"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet": "true",
"ClaimsSchema": [{
"Source": "user",
"ID": "employeeid",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",
"JwtClaimType": "employeeid"
},
{
"Source": "user",
"ID": "mail",
"SamlClaimType": "http://schemas.microsoft.com/identity/claims/emailaddress",
"JwtClaimType": "mail"
},
{
"Source": "user",
"ID": "onpremisessamaccountname",
"SamlClaimType": "samaccountname",
"JwtClaimType": "samAccountName"
},
{
"Source": "user",
"ID": "department",
"SamlClaimType": "http://schemas.microsoft.com/identity/claims/department",
"JwtClaimType": "department"
}
]
}
}') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"

Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.

Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}

To check if the policy is successfully added to the ServicePrincipal or not:

Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"

Next you can use the Authorization Code flow of OAuth2.0 and request for a code from AAD.

Once you have the code, use the code to request for an access token from AAD for the above app on whose ServicePrincipal the AzureADPolicy was added. [I used POSTMAN tool to test the same]

Once you get the Access Token use https://jwt.ms to see the decoded JWT and you should see the SamAccountName listed in it as claims.

you can add the onPremisesSamAccount name to the claims and send it within an access token. You can follow the steps mentioned below:

  1. Create an AzureADPolicy. New-AzureADPolicy -Definition @('{  
              "ClaimsMappingPolicy": {  
              "Version": 1,  
              "IncludeBasicClaimSet": "true",  
              "ClaimsSchema": [{  
              "Source": "user",  
              "ID": "employeeid",  
              "SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",  
              "JwtClaimType": "employeeid"  
              },  
              {  
              "Source": "user",  
              "ID": "mail",  
              "SamlClaimType": "http://schemas.microsoft.com/identity/claims/emailaddress",  
              "JwtClaimType": "mail"  
              },  
              {  
              "Source": "user",  
              "ID": "onpremisessamaccountname",  
              "SamlClaimType": "samaccountname",  
              "JwtClaimType": "samAccountName"  
              },  
              {  
              "Source": "user",  
              "ID": "department",  
              "SamlClaimType": "http://schemas.microsoft.com/identity/claims/department",  
              "JwtClaimType": "department"  
              }  
              ]  
              }  
              }') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"

                       1. Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.

                       ***Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}***

                                   1. To check if the policy is successfully added to the ServicePrincipal or not:

                                   ***Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"***

                                               1. Next you can use the Authorization Code flow of OAuth2.0 and request for a code from AAD.

                                                           1. Once you have the code, use the code to request for an access token from AAD for the above app on whose ServicePrincipal the AzureADPolicy was added. [I used POSTMAN tool to test the same]  
                                                                                                                                ![alt text](https://learn-attachment.microsoft.com/api/attachments/1981-postmansnip.png?platform=QnA)

                                                                       1. Once you get the Access Token use [https://jwt.ms](https://jwt.ms/) to see the decoded JWT and you should see the **SamAccountName** listed in it as claims.  
                                                                                                                                                        ![alt text](https://learn-attachment.microsoft.com/api/attachments/1971-claims.png?platform=QnA)

  Let me know if you have any further questions on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Nitish Sharma 441 Reputation points

2023-08-17T13:53:29.1233333+00:00

Thanks for sharing the steps.

Answer 2

JimmySalian-2011 42,511

Hi Nitish,

Have you tried the custom attribute mapping via the cloud sync or AAD Connect? This will require some custom configuration via the expression mapping ad this will allow you to customize attributes using a script-like expression.

Check this article and if this does not help probably you might need to raise a support case with Microsoft to work on this solution:https://learn.microsoft.com/en-us/azure/active-directory/hybrid/cloud-sync/how-to-attribute-mapping

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/cloud-sync/reference-expressions

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Nitish Sharma 441 Reputation points

2023-08-13T22:28:02.26+00:00

Hi @JimmySalian-2011

Thanks for this, extension attributes are already synced from OnPremises AD to Azure AD but I was looking to fetch them as part of access token or id token while doing SSO authentication. And for doing SSO authentication I am using App Registration so claim mapping policy was added to that app registration too but it still is not working so was wondering if someone has tried this and it works for them or not. Were any more steps taken to make it work?

Share via

Azure AD custom Attribute(onpremise exgtension attrbiute)

1 additional answer

Your answer