Adding On-prem SAM account name in JWT access token

Question

Adding On-prem SAM account name in JWT access token

Venkata Pavan Kumar Dasa 0

I am getting error like "C:\azureclitaskscript17057276.sh: line 13: $'={\n "accessToken": [\n {\n "name": "On-premises SAM account name",\n "source": null,\n "essential": false,\n "additionalProperties": []\n\n }\n ] \n}': command not found

ERROR: Unsupported or invalid query filter clause specified for property 'identifierUris' of resource 'Application'."

1 answer

Your answer

Answer 1

@Anonymous

Thank you for posting this in Microsoft Q&A.

As I understand you are trying to configure a claim to get on-prem SAM account name as claim in JWT access token.

You can configure this by using AzureADserviceprincipalpolicy. This will link a policy with the service principal in Azure AD. Whenever this service principal is accessed, it will emit claims which are configured for this application.

You can follow the steps mentioned below:

Create an AzureADPolicy.

New-AzureADPolicy -Definition @('{
"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet": "true",
"ClaimsSchema": [{

"Source": "user",
"ID": "onpremisessamaccountname",
"SamlClaimType": "samaccountname",
"JwtClaimType": "samAccountName"
}

]
}
}') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"

Post this you will have to attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.

Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}

To check if the policy is successfully added to the ServicePrincipal or not:

Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"

Next you can use the Authorization Code flow of OAuth2.0 and request for a code from AAD.
Once you have the code, use the code to request for an access token from AAD for the above app on whose ServicePrincipal the AzureADPolicy was added. [I used POSTMAN tool to test the same]

alt text

Once you get the Access Token use https://jwt.ms to see the decoded JWT and you should see the SamAccountName listed in it as claims.

alt text

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Venkata Pavan Kumar Dasa 0 Reputation points

2023-11-20T10:50:15.44+00:00

Thanks Sandeep. I don't think as DevOps team have necessary access to create the new policy definition which might take longer time to get necessary approvals.

I have been trying to use the below command

az ad app update --id "$appObjectId" --optional-claims "$optionalClaims"

Do you think this works? If Yes, can you please share me how do I supply Option Claims parameter in Azure CLI task ?

Thank you in advance.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-11-29T04:30:49.6333333+00:00

@Anonymous

Any route you take to configure claims, you will have to contact global admin of Azure AD.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-12-06T08:38:53.9166667+00:00

@Anonymous

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Share via

Adding On-prem SAM account name in JWT access token

1 answer

Your answer