Chain Together AAD Claims Transformations

Daniel Milnes 21 Reputation points
2022-06-30T13:46:35.48+00:00

Hi there,

We're trying to use Azure AD claims transformations to work around legacy requirements from a previous IDP. We'd like to replace the domain on all UPNs with a different domain, but we don't appear to be able to chain together claims transformations to achieve this.

We're deploying the below policy with Terraform

   resource "azuread_claims_mapping_policy" "this" {  
     definition = [  
       jsonencode({  
         ClaimsMappingPolicy = {  
           Version              = 1,  
           IncludeBasicClaimSet = "true",  
           ClaimsSchema = [  
             {  
               Source = "user"  
               ID     = "userprincipalname"  
             },  
             {  
               Source           = "transformation"  
               ID               = "Compat1"  
               TransformationId = "Transform1"  
             },  
             {  
               Source           = "transformation"  
               ID               = "Compat2"  
               TransformationId = "Transform2"  
               SamlClaimType    = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"  
             }  
           ],  
           ClaimsTransformations = [  
             {  
               ID                   = "Transform1"  
               TransformationMethod = "ExtractMailPrefix"  
               InputClaims = [  
                 {  
                   ClaimTypeReferenceId    = "userprincipalname"  
                   TransformationClaimType = "mail"  
                 }  
               ],  
               OutputClaims = [  
                 {  
                   ClaimTypeReferenceId    = "Compat1"  
                   TransformationClaimType = "outputClaim"  
                 }  
               ]  
             },  
             {  
               ID                   = "Transform2"  
               TransformationMethod = "Join"  
               InputClaims = [  
                 {  
                   ClaimTypeReferenceId    = "Compat1"  
                   TransformationClaimType = "string"  
                 }  
               ],  
               InputParameters = [  
                 {  
                   ID    = "string2"  
                   Value = "example.com"  
                 },  
                 {  
                   ID    = "separator"  
                   Value = "@"  
                 }  
               ],  
               OutputClaims = [  
                 {  
                   ClaimTypeReferenceId    = "Compat2"  
                   TransformationClaimType = "outputClaim"  
                 }  
               ]  
             }  
     
           ]  
         }  
       })  
     ]  
     display_name = var.name  
   }  

However, when we try and login through Azure AD, we get the below error

   AADSTS501242: ClaimsTransformations with ID 'Transform2' contains an unsupported InputClaim.Source 'transformation'.  

What would be the way forward here? We're happy to use a regular expression instead, but wouldn't see a way to do this from the docs.

Thanks!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,978 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,683 questions
{count} votes