Claim Transformation in Azure ID Token (upn data to email claim)?

asked 2020-08-28T13:18:54.54+00:00
Bergmann, Alexander 1 Reputation point

Hi is it possible to send the upn value as email claim per transformation in id token.

i found this doc but its not clear for me how or if it works.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,584 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2020-08-28T21:50:49.39+00:00
    Alfredo Revilla (MSFT) 15,571 Reputation points Microsoft Employee

    Not possible since email is a restricted claim but you can output it as mail or other with something like this:

       $Policy=New-AzureADPolicy -Definition $Serializer.Serialize($Definition) -DisplayName SamplePolicy1 -Type ClaimsMappingPolicy  
       Add-AzureADServicePrincipalPolicy -Id <SP_ObjectId> -RefObjectId $Policy.Id  

    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    No comments

  2. answered 2020-08-31T12:34:26.613+00:00
    Alexander 266 Reputation points

    Hi Alfredo, thanks for your fast response when i try out your suggestion i get following error.

    Add-AzureADServicePrincipalPolicy : Error occurred while executing AddServicePrincipalPolicy
    Code: Request_ResourceNotFound
    Message: Resource 'xxxxxxxxxxxxxxxxxxxxxxxx' does not exist or one of its queried reference-property objects are not present.
      RequestId: b182dfba-3b1c-46e5-933e-xxxxxxxxxx
      DateTimeStamp: Mon, 31 Aug 2020 10:20:50 GMT
    HttpStatusCode: NotFound
    HttpStatusDescription: Not Found
    HttpResponseStatus: Completed
    In Zeile:12 Zeichen:1
    + Add-AzureADServicePrincipalPolicy -Id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Add-AzureADServicePrincipalPolicy], ApiException
        + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.AddServicePrincipalPolicy

    The ObjectID i used exists