Share via

Enterprise Apps: Adding A Variable to User Name

km-admin 0 Reputation points
2026-06-01T15:17:31.21+00:00

I have an enterprise app where I need to append a variable to each user via SSO. An example would be ******@this.com would have to be ******@this.com. I'm not seeing how to append the "that" variable in Atributes and Claims. Thoughts?

Microsoft Security | Microsoft Entra | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-01T15:17:52.3433333+00:00

    Configure a custom claim transformation on the enterprise application and use the built-in string functions to append the extra value to the username that’s sent in the token.

    For an OIDC/OAuth (JWT) enterprise app:

    1. In Microsoft Entra admin center, go to Entra IDEnterprise appsAll applications.
    2. Select the app, then Single sign-on → in Attributes & Claims, select Edit.
    3. Either edit the existing claim that represents the username (for example, name or preferred_username) or add a new claim.
    4. For the claim’s value, use a transformation function that joins the base attribute with the extra suffix. For example, use Join() to combine the user principal name with a fixed domain or suffix:
      • Input attribute: user.userprincipalname (or user.email as appropriate)
      • Function: Join()
      • Separator: @ (or another character as needed)
      • Parameter: the new domain or suffix (for example, that.com)
      For NameID transformations, Join() removes the original domain part before joining with the separator and new parameter. For example, if the input is ******@contoso.com, separator is @, and parameter is that.com, the output becomes ******@that.com.

    If instead of changing the domain you need to append a literal string to the existing value (for example, ******@this.com******@this.com_that), configure the claim to:

    • Use Join() with a separator (for example, _) and a constant parameter (for example, that), or
    • Use a function like Contains(), StartWith(), or EndWith() if conditional logic is required, selecting the original attribute as input and the modified value as output.

    For SAML apps, the same pattern applies on the Attributes & Claims blade: edit the relevant claim (for example, nameID or another identifier), and either:

    • Select a different source attribute (such as userprincipalName, email, objectid, etc.), or
    • Assign a constant value in Source attribute if a static suffix or value is required.

    This way, the app receives a username that has the required suffix or modified domain without changing the underlying Entra ID user object.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.