We have same problem too.
Change SAML Claims for DevOps with Azure AD
Hey
My organisation has just started using AzureAD and DevOps for certain things; we use the former to authenticate with the latter. When someone first signs into our DevOps, using our AzureAD, it creates a DevOps Profile for the user.
My assumption is that this profile's attributes are initially populated from SAML claims released by our AzureAD-- one attribute it populates for you is the Contact Email Address. If this assumption is correct, then it appears that the Contact Email Address is populated from the UPN claim, which in our case is not correct.
We can of course tell every user that signs in to DevOps to go to their profile and correct their Contact Email Address, but I'm not sure we should have to.
I was hoping to edit the view and edit the claims released for this purpose, thinking that I would be able to correct the mapping, but when I go to Azure DevOps Enterprise Application within our Azure Portal and go to Single Sign-On I'm faced with:
"The single sign-on configuration is not available for this application in the Enterprise applications experience. Azure DevOps is a multi-tenant application and the application is owned by another tenant."
I don't know if this is just the end of it and there's nothing we can do? There is a following statement, which reads:
"To customize token claims, see How to: customize token claims emitted in tokens for a specific app in a tenant."
But since this looks to be a whole lot of PowerShell commands, I thought I'd ask here before I get crazy.
Does does anyone have any advice or experience that might help here?
[EDIT]: It's starting to get a little specific now, but it's worth noting that although the AzureAD to manage the accounts for DevOps, we utilise Directory Sync from our local AD and it's our local ADFS that's being authenticated against.
Cheers
Jack