Share via

Azure AD - add custom claim to access token

Ryan P 11 Reputation points
2021-06-01T13:46:48.16+00:00

Hello experts,

I have an Azure AD application which I am using to generate a v1.0 access token for use in an external app.

I want to add a custom "prn" claim to the token, which will mirror the value of the default "upn" claim.

I have read through teh article below, but due to my lack of experience am not entirely sure that this is what I am after.

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

Before I dive in and see if I can get my head around this article, can anyone confirm that the above is what I need to do to get the custom claim - i.e. using claims mapping policy and a custom signing certificate?

Many thanks,
Ryan

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,860 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,566 Reputation points
    2021-06-02T12:43:20.477+00:00

    Hello @Ryan P ,

    Thanks for reaching out.

    Yes, you are referring to the right article.

    Here are detailed steps for creating AzureAD policy and then assigning them to service principal objects (application) which emits custom "upn" as "prn" claim.

    • You must have AzureAD module installed because this can be only done through PowerShell way. If not installed already refer this article to install AzureAD Module.

    • Use this cmdlet to create New Azure AD Policy, this would define Basic Claims "userprincipalname" as "prn" . 

       New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"IncludeBasicClaimSet": "true","ClaimsSchema":[{"Source": "user","ID": "userprincipalname","JwtClaimType": "prn"}]}}') -DisplayName "BasicClaimupnPrn-title" -Type "ClaimsMappingPolicy"

    • Run the following command to see your newly created policy and copy the policy ObjectId, 

       Get-AzureADPolicy

    • Assign the policy to your service principal. You can get the ObjectId of your service principal from Enterprise applications blade as shown below screenshot. 

       Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

    66393-image.png

    • Once policy has successfully assigned, then enable the AcceptMappedClaims to true in the App as shown in the following image:
    66404-image.png

    Now you should see Basic Claims "department" and "jobTitle" appears in ID_Token (JWT token). Please find below screenshot from my lab for your reference:

    id_token (JWT):

    101669-image.png

    Hope this helps.

    ------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.