Hi @ISDr • Thank you for reaching out.
The onPremisesSamAccountName
attribute is populated automatically only when the users are synced from on-premises Active Directory. If the users are cloud-only users, this attribute won't have a value.
So, the first thing I would suggest you check is whether the onPremisesSamAccountName
attribute is populated or not. You can use Graph Explorer to make the below call after signing-in with the Global/User administrator account in your tenant:
https://graph.microsoft.com/beta/users/object_id_of_the_user
If the value is not populated and is returned as Null
, it will not be returned in the access token as a claim. If the value is populated, only then the claim will be populated in the access token.
You may consider using the mailNickname
attribute if the value of onPremisesSamAccountName
is not populated. The value of the mailNickname
attribute is a single label name like "jsmith" instead of the email attribute.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.