![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 94%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
4,046 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 50%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hello,
AD FS is quite opinionated when it comes to the contents of its id_tokens. In short, while you have a fair amount of control over the claims in an access_token using claim rules in your trusted relying party configuration, modifying the id_token—especially fields like "sub"—is not supported.
Here are some details and considerations:
- "sub" Claim Behavior
• The "sub" (subject) claim in id_tokens is automatically generated by AD FS. It’s designed to be a stable, opaque value that uniquely represents the user for that relying party.
• Because it’s generated internally (often as a hash based on one or more attributes), AD FS does not let you change how it is produced even if you change claim rules—this is by design to ensure consistency and security.
- Adding Custom Claims (e.g., "on_premises_account")
• While you may be able to add or transform claims for the access_token through custom claim rules, those rules do not necessarily affect the id_token.
• AD FS separates how it constructs the id_token and the access_token. For the id_token you’ll find that many claims (other than a few explicitly supported ones) are not modifiable via the usual claim rule interface.
- Workarounds and Alternatives
• If you need to include additional application-specific information (like "on_premises_account") in the id_token, one common suggestion is to consider whether that information might be conveyed via another mechanism (such as a separate lookup, or by enhancing your client application to make a call to a userinfo endpoint if available).
• Some deployments have resorted to building a custom security token service (STS) or insertion of a proxy layer that modifies tokens after AD FS issues them. However, this comes with significant complexity and is generally not recommended because it can break interoperability and security guarantees.
If the Answer is helpful, please click "Accept Answer" and upvote it.