UPN field not present in claims during authentication with a single tenant app registration

Question

I am currently working on a C# webapp that is uses single tenant authentication via OpenIdConnect to authenticate our webapp against Azure AD. The issue that I am encountering is that after authentication, the UPN field is not populated in the HttpContext User object.

The only claims fields that are provided to the hhtp context are the authmethodreferences, emailaddress, identityprovider, objectidentifier, nameidentifier, tenantid and name.

My next thought was to use the optional claims feature, documented here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-optional-claims

However, after following those instructions and trying id, access, and SAML to get the UPN field in, none of them ended up working.

Does anyone know what steps I will need to take in order to get the upn field to appear in a single tenant authentication request?

Answer 1

Hey, are you setting these optional claims up in the resource application object?

Note that the resource is what defines what items will be returned not the application registration that has the client id that you're using to request and access token from. This is a common error that most people make as they make the modifications in the application registration object, not the resource object.

You can will need to use either custom claims mapping, or optional claims.

Answer 2

Hello

Like Role & Zak I am also missing a full documentation, how to add additional claims (especially UPN) for integrated applications. I understand that you need to give permissions etc. for Graph API, but where to do this exactly?

It would be great, if there is a step-by-step tutorial for this use case as I guess this is not a special case but quite common!

Cheers,
Roger