AD FS to Azure AD app migration - Claim Rules

Pa_D 1,051 Reputation points

There are 4 different claim rule templates that requires attention,

  1. EmitGroupClaims template
  2. MapClaims template
  3. Custom template
  4. Pass through claim template

Attached screenshots for those 4 templates. Can someone provide guidance for equivalent mapping in Azure AD claim rules?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,794 questions
{count} votes

Accepted answer
  1. James Hamil 14,346 Reputation points Microsoft Employee

    Hi @Pa_D ,

    We do not recommend use of Transient NameID.
    As per the doc:

    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Azure Active Directory issues the NameID claim as a randomly generated value that is unique to the current SSO operation. This means that the value is temporary and cannot be used to identify the authenticating user.

    Hence my suggestion, omit that claim for NameID being sent as Transient, in its place you can send the Name ID as either Unspecified or as email address

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Azure Active Directory issues the NameID claim in e-mail address format.
    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: This value permits Azure Active Directory to select the claim format. Azure Active Directory issues the NameID as a pairwise identifier.

    The only supported types for the NameID format are are listed here:

    I hope this helps! Please let me know if you have any further questions.


    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. James Hamil 14,346 Reputation points Microsoft Employee

    Please find the details for the screenshots below:

    1. EmitGroupClaims template: Emit claim with value if user is member of the specific group ---> This is a supported scenario. For more information please check here:
    2. MapClaims template: Send Email as NameID ---> This scenario is also supported. For more details around the same can be found here:
    3. Custom template: In Azure we don't recommend applications to check auth method. We don't do anything less secure than password.
    4. Pass through claim template: This is also a supported scenario. For more details you can refer to the following link:

    To test these claims, you can try using the Claims XRay SAML App in Azure.

    Please let me know if this helps! If so, please mark the answer as "Verified" so other users may reference it.

    Thank you,