Azure AD SAML - Claim Conditions on nameidentifier (required Name ID) claim

coaxke 21 Reputation points

Hi Azure AD Team,

I just deployed an application in my tenant with some crazy claim transforms but ran into an issue when attempting apply claim conditions on a required NameID claim:

In my application for some users I want to emit a static value if the user is a member of a group - this works fine if the claim is of type "Additional" - to example the following claim emits a static role if the user is a member of a specific group:


The above works great!

If i attempt to do the same for the NameID claim the value is not re-written (i know this is a strange scenario). The only work around is do create a Claim condition of type transform instead of attribute - Consider the following examples:

This will not work:


This will work:


Is this perhaps a known issue or am I doing something unsupported here?

Hopefully my description is understandable :)


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,092 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,441 Reputation points

    @coaxke Thanks for the clarification. When you select Attribute, the value has to be the name of an attribute. You cannot pass static value in that case. To pass static value, Transformation option needs to be used.


    Please "Accept as answer" wherever the information provided helps you to help others in the community.

2 additional answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points

    @coaxke I just tested the same settings for Name ID in my tenant and it worked perfectly fine for me.


    Below is the snip from token with the same value being passed as name ID:


    If you are not getting the specified static value in the token, what do you get in the token as Name ID?

    With the information that you have shared, the only thing that I can think of which might be causing the issue in your case is, if the user account that you are testing with doesn't have an email address. In that case, the condition will not match and the rule will not apply.


    Please Accept as answer wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

  2. Mathieu Lavigne 1 Reputation point

    I consider this a bug from Microsoft. Overwriting attributes works with static values for the other claim attributes but not the NameID. For NamedID we used Transformation as suggested here and it worked [enter faceplant emoji here].

    Thanks guy for saving the day. This article was useful for us.

    0 comments No comments