How to replicate ADFS SAML issuance rules in Entra ID enterprise App

Andy R 0 Reputation points

We are starting to look at moving our ADFS trusts into Entra  and am struggling on how to replicate this type of scenario into an Entra SAML app


As an example we have

Local Ad groups (these would be synced into Entra ID)





User would be in one of each type of group


Ther is an ADFS RPT and we would then have these three SAML issuance rules in ADFS for the RPT


c:[Type == "", Issuer == "AD AUTHORITY"]

 => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);



 c:[Type == "http://temp/variable", Value =~ "(?i)^BusStop-"]

 => issue(Type = "https://Bus/Stop", Value = RegExReplace(c.Value,"BusStop-",""));



 c:[Type == "http://temp/variable", Value =~ "(?i)^BusSeat-"]

 => issue(Type = "https://Bus/Seat", Value = RegExReplace(c.Value,"BusSeat-",""));



 I can do a group claim, with a filter and then a regex based tranform to do one of the 2 items but then am unable to add a second group claim as the option is greys out.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,441 questions
{count} votes