Share via

ImmutableID through application claims

Nina Franchaisse 41 Reputation points
2021-08-16T09:35:50.5+00:00

Hello,
In our infrastructure we had an Active Directory which sent user objectGUID to Office365 for authentication but when we did the migration from Active Directory to Azure, we had a problem accessing the ImmutableID through Azure applications (because we need to federate through an external OpenId Provider).
At first we tried to get the ImmutableID with the token but it is not mapped in any claim already existing, so we tried to make our own :

AzureADPreview\New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"ImmutableID","SamlClaimType":"http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID","JwtClaimType":"nameImmutableID"}]}}') -DisplayName "ImmutableIDClaims" -Type "ClaimsMappingPolicy"

Add-AzureADServicePrincipalPolicy -Id <Application ID> -RefObjectId <Policy ID>

After that, we added the claims in the manifest as follows but it seems not to return the value.

{
"name": "nameImmutableID",
"source": "user",
"essential": true,
"additionalProperties": []
}

Do you have an idea why this isn’t working ?
Best regards

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Siva-kumar-selvaraj 15,731 Reputation points Volunteer Moderator
    2021-08-16T19:45:06.72+00:00

    Hello @Nina Franchaisse ,

    Thanks for reaching out.

    You can not sent "ImmutableId" element through application claims directly, because this is not supported claim schema entry. Here are list of the Source/ID element pair.

    Alternatively, you could leverage anyone of unused "extensionAttribute" copy ImmutableId value manually and sent them in claim as shown below.

    Hope this helps.

    Example:
    Azure AD policy creation: 

    New-AzureADPolicy -Definition('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"extensionAttribute1","SamlClaimType":"http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableId"}]}}') -DisplayName ImmutableId -Type "ClaimsMappingPolicy"

    Copy ImmutableId 

    Set-AzureADUserExtension -ObjectId <User_Object_ID> -ExtensionName extensionattribute1 -ExtensionValue BpazOkLGm0iEtljAONPvOQ==

    Outcome:

    123617-image.png

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,731 Reputation points Volunteer Moderator
    2021-08-23T20:40:15.65+00:00

    Hello @Nina Franchaisse ,

    You can create custom sync rule from Azure AD connect server which would convert objectGUID to base64 format and copy Immutable ID to ExtensionAttribute1 as shown below for hybrid users.

    Steps to create the rule:

    • Open AD sync rule editor
    • Click Add new rule.
    • On the Description page, enter the following:
      125745-image.png

    Name: Give the rule a descriptive name.
    Description: Give some clarification so someone else can understand what the rule is for.
    Connected System: This is the system in which the object can be found. In this case, select Active Directory Connector.
    Connected System/Metaverse Object Type: Select User and Person, respectively.
    Link Type: Change this value to Join.
    Precedence: Provide a value that is unique in the system. A lower numeric value indicates higher precedence (Ex: 50).
    Tag: Leave this empty. Only out-of-box rules from Microsoft should have this box populated with a value.

    • On the Scoping filter page, enter extensionAttribute1 CONTAINS SetImmutableId
      125764-image.png
      This section is used to define to which objects the rule should apply. If it's left empty, the rule would apply to all user objects. However, that would include conference rooms, service accounts, and other non-people user objects. Hence, I used filter based on extensionAttribute1 when it contains text value SetImmutableId in local ad then respective user object will have copy value of Base64ConvertedObjectGUID.
    • On the Join rules page, leave the field empty.
    • On the Transformations page, change FlowType to Expression. For Target Attribute, select extensionAttribute1. And for Source, enter IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID])).
      125706-image.png
      The sync engine is case-sensitive for both the function name and the name of the attribute. If you type something wrong, you see a warning when you add the rule. You can save and continue, but you need to reopen and correct the rule.
      • Click Add to save the rule, your new custom rule should be visible with the other sync rules in the system and now verify the changes.

    Outcome from my lab:

    125707-image.png

    Here is general guidance on Create your first custom rule. Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.