inlcude onpemise samaccount in azure ad claims

Somnath Shukla 411 Reputation points
2020-01-14T14:59:04.783+00:00

I was going through this https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims. i have happy that i can get oppremise sid.
Now i also wanted to inlcude the onpremisesameaccount as part of claim.
I know i can get it using graph api https://graph.microsoft.com/v1.0/me/?$select=userPrincipalName,onPremisesSamAccountName
but i wanted to use it as part of claims token generated by azure ad inself.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,215 questions
0 comments No comments
{count} vote

Accepted answer
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-01-14T18:38:49.02+00:00

    @Somnath Shukla ,
    Yes, you can add the onPremisesSamAccount name to the claims and send it within an access token.

    You can follow the steps mentioned below:

    1. Create an AzureADPolicy. New-AzureADPolicy -Definition @('{
      "ClaimsMappingPolicy": {
      "Version": 1,
      "IncludeBasicClaimSet": "true",
      "ClaimsSchema": [{
      "Source": "user",
      "ID": "employeeid",
      "SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",
      "JwtClaimType": "employeeid"
      },
      {
      "Source": "user",
      "ID": "mail",
      "SamlClaimType": "http://schemas.microsoft.com/identity/claims/emailaddress",
      "JwtClaimType": "mail"
      },
      {
      "Source": "user",
      "ID": "onpremisessamaccountname",
      "SamlClaimType": "samaccountname",
      "JwtClaimType": "samAccountName"
      },
      {
      "Source": "user",
      "ID": "department",
      "SamlClaimType": "http://schemas.microsoft.com/identity/claims/department",
      "JwtClaimType": "department"
      }
      ]
      }
      }') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"
      1. Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.
      Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}
      1. To check if the policy is successfully added to the ServicePrincipal or not:
      Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"
      1. Next you can use the Authorization Code flow of OAuth2.0 and request for a code from AAD.
      2. Once you have the code, use the code to request for an access token from AAD for the above app on whose ServicePrincipal the AzureADPolicy was added. [I used POSTMAN tool to test the same]
        alt text
      3. Once you get the Access Token use https://jwt.ms to see the decoded JWT and you should see the SamAccountName listed in it as claims.
        alt text

    Hope this helps.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. contemplatorUnser 1 Reputation point
    2021-07-03T21:51:04.6+00:00

    I'm trying out this solution.
    What is the "object id of service principal" in

    Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}
    ?

    the object ID of my App don't works. I suppose, this ist the object id of my App (called Divertimenti) in the view Azure AD --> Enterprise Application
    (see Picture)

    regards
    GG!
    111529-bildschirmfoto-2021-07-03-um-234549.png