Cannot view samAccountName as an access token attribute

ISDr 21 Reputation points
2022-07-08T10:41:18.61+00:00

Hi,

I have set up an enterprise app registration for a Web app.

Under Token Configuration, I've enabled both ID and Access tokens, and all optional claims ticked, and group claim for all token types (ID, Access, SAML) ticked sAMAccountName.

I've also added a onpremisesamaccountname claims mapping as advised here: https://learn.microsoft.com/en-us/answers/questions/6472/inlcude-onpemise-samaccount-in-azure-ad-claims.html

However, when I attempt to get an access token using an authorization code, the samAccountName is not available as one of the attributes in the Access token JWT.

Could you please help me here? My primary objective is to obtain the username attribute within the token. I want the username to be something like "jsmith" instead of the email attribute. Usually in legacy systems this username is mapped to the cn or samAccountName.

Note: I don't have a connection to LDAP for the end users, as I've set them up in Microsoft 365 Admin Center.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,146 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,746 Reputation points
    2022-07-11T13:07:45.167+00:00

    Hi @ISDr • Thank you for reaching out.

    The onPremisesSamAccountName attribute is populated automatically only when the users are synced from on-premises Active Directory. If the users are cloud-only users, this attribute won't have a value.

    So, the first thing I would suggest you check is whether the onPremisesSamAccountName attribute is populated or not. You can use Graph Explorer to make the below call after signing-in with the Global/User administrator account in your tenant:

    https://graph.microsoft.com/beta/users/object_id_of_the_user  
    

    If the value is not populated and is returned as Null, it will not be returned in the access token as a claim. If the value is populated, only then the claim will be populated in the access token.

    You may consider using the mailNickname attribute if the value of onPremisesSamAccountName is not populated. The value of the mailNickname attribute is a single label name like "jsmith" instead of the email attribute.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.