How to add specific JSON OptionalClaims

Jesus Guzman 41 Reputation points
2021-03-10T21:36:14.903+00:00

Hi all! I have an API that works fine, when I authenticate my users. But, I need to add specific optional claims, to allow me to direct users into the application, based in the claims of: Office, Job Title and Department. I have to edit this in the manifest, because I don't see the optional claims listed in the web portal. Unfortunately, this goes beyond my limited knowledge as I am not an experienced developer. I ventured to try adding the Claims I've found in some links, but I am not entering the right stuff. I did add one optional claim to get the last authentication time, but I am not sure if this section is the right one to enter the claims I need; Office, Job Title and Department or what to enter to make it happen:

"optionalClaims": {
"idToken": [
{ "name": "auth_time",
"source": null,
"essential": false,
"additionalProperties": [] }
],
"accessToken": [],
"saml2Token": []

Any guidance is appreciated.

J.Guzman

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,261 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,896 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,681 Reputation points
    2021-03-11T21:26:28.563+00:00

    Hello @Jesus Guzman ,

    Thanks for reaching out.

    Basic Claims (like: "department" and "jobTitle") can be configured by using "Claims mapping policies", but "officeLocation" claim is not supported, refer this article to see list of supported claims .

    Please find below detailed steps for creating AzureAD policy and then assigning them to service principal objects.

    • You must have AzureAD module installed because this can be only done through PowerShell way. If not installed already refer this article to install AzureAD Module.

    • Use this cmdlet to create New Azure AD Policy, this would define Basic Claims "department" and "jobTitle"

       New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"IncludeBasicClaimSet": "true","ClaimsSchema":[{"Source": "user","ID": "department","JwtClaimType": "department"},{"Source": "user","ID": "jobTitle","JwtClaimType": "jobTitle"}]}}') -DisplayName "BasicClaimDepartment-title" -Type "ClaimsMappingPolicy"  
    

    • Run the following command to see your newly created policy and copy the policy ObjectId,

       Get-AzureADPolicy  
    

    • Assign the policy to your service principal. You can get the ObjectId of your service principal from Enterprise applications blade as shown below screenshot.

       Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>  
    

    66393-image.png

    • Once policy has successfully assigned, then enable the AcceptMappedClaims to true in the App as shown in the following image:
    66404-image.png

    Now you should see Basic Claims "department" and "jobTitle" appears in ID_Token (JWT token). Please find below screenshot from my lab for your reference:

    id_token (JWT):
    76839-image.png

    Hope this helps.

    ------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jesus Guzman 41 Reputation points
    2021-03-11T22:48:44.92+00:00

    Hello Sikumars!

    First, thank you for taking your time to suggest this walkaround. I believe it has shed light to what I need to do. The "OfficeLocation" claim is not correct, as you are stating. I need "Office" which I do believe can be used along with the other two. I am going to follow this and add the "office" claim and keep you posted.

    Regards,

    J.Guzman


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.