Claims rule to get WindowsAccountName for Azure AD

Giovanni Fleres 216 Reputation points

I'm trying to use a 3rd party MFA for an Azure AD tenant that is federated with an on premise AD / ADFS.
This 3rd party is configured as a Claims Provider Trust in ADFS.

The auth flow is:
Azure AD -> ADFS -> 3rd party MFA

The authentication on the 3rd party is successfully executed and then the control is returned to ADFS that should redirect the end user to Azure AD but this process fails with the following error:

Error details: POLICY0018: Query 'samAccountName={0};userPrincipalName;{1}' to attribute store 'Active Directory' failed: 'POLICY3826: User name 'john.smith' in LDAP query 'samAccountName=john.smith;userPrincipalName;john.smith' is not in the required 'domain\user' format. POLICY3824: The LDAP query to the Active Directory attribute store must have three parts separated by semicolons. The first part is the LDAP query filter, the second part is a comma-separated list of LDAP attribute names, and the third part is the user name in 'domain\user' format.'.

The affected policy seems to be "Issue UPN" Claim Issuance Policy in "Microsoft Office 365 Identity Platform Worldwide" Relying Party

Three Claims rules are defined in the 3rd party Claim Provider:

  • Passthrough NameID as Windows Account Name
  • Passthrough NameID as UPN
  • A custom called "Query AD for sAMaccountname" with the following content

c:[Type == ""]
=> issue(store = "Active Directory", types = (""), query = "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(objectCategory=person)(objectClass=user)(userPrincipalName={0}));sAMAccountName;contoso\random", param = c.Value);

Any thoughts ?


Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,210 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,904 questions
{count} votes

Accepted answer
  1. Giovanni Fleres 216 Reputation points

    Thanks @Pierre Audonnet - MSFT and @Jitendra Rai for your help.

    I've resolved my issue creating following two rules:

    1 - get samAccountName

    c:[Type == ""]
    => add(store = "Active Directory", types = ("temp:claim/sam"), query = "(&(objectCategory=person)(objectClass=user)(userPrincipalName={0}));samaccountname;contoso\random", param = c.Value);

    2 - Issue Windows Account Name

    c:[Type == "temp:claim/sam"]
    => issue(Type = "", Value = "contoso\" + c.Value);

    @Pierre Audonnet - MSFT , yes, you're right. I'm sorry if I haven't been very clear.

    Not sure I understand your question about why I don't use my MFA provider direclty in ADFS.
    The big picture is that I would like to grant access to Azure portal or to Office 365 through this 3rd party MFA / IdP ( biometrical recognizition) but Azure AD doesn't support this 3rd party . This is why I'm using ADFS. Have I answered to your question ?

0 additional answers

Sort by: Most helpful