#AzureAD #AzureActiveDirectory How to customize claims in id_tokens, issued by Azure AD ? How to add claims mapping policy? Microsoft Article - docs.microsoft...
Thank you very much! In case I could I would put 1000 likes :). After spending time with MS articles I met this video that puts all pieces of puzzle together. Perfect video to start working with that stuff!
I see you have mentioned JWTClaimType:EmployeeID_JWTCLAIM, we just keep as EmployeeID instead of EmployeeID_JWTCLAIM, because want it should only show EmployeeID instead of EmployeeID_JWTCLAIM in JWT Token
Yes, employeeID is the generic claim used everywhere. My agenda was to show the capability, that we can even customize the claim names as well. Thank you for your reponse.
How does Custompolicies work with Access tokens, because when you setup a Policy for AT it has to be on the Service Principal of the Resource App not the Caller app. A video on that will be helpful.
Custom policy is always mapped for the service principal object of the application that you have registeted. Custom policy cannot be mapped to resource app. For example - If I have registered an application and I will be calling graph from that application. My application will be "Caller APP" And Microsoft Graph will be the Resource. Now when I will create a policy for custom claims mapping, I will be adding it with the service princiapal of the app which I have registered. Results :- Since the policy is mapped to the app which I have registered only the token issued to my application will be customized. Thanks ..!!
@@ConceptsWork I totally got what you are saying. So just wanted to confirm that custom-mapping policy is always assigned on the service-principal of client-application. So that means this is opposite of "optionalClaims" element as we put "optionalcliams" on the application-object of Resource if I want to add any more claims in access-token. Am I right in my understanding ? and if yes, would you please tell me if both "optionalClaims" can co-exist with claim-mapping-policy or later will replace the former ?
Excellent Video, I have a scenario where one of the enterprise registered apps needs these 2 values in the claim based on AD group membership attrib_authorization = 'val_x' (based on the AD group membership should change) attrib_clearance = ''val_y' (based on the AD group membership should change) Please guide me with high-level steps on how do I add these two custom attributes to the claim? Many thanks
Great Video! I can create new policy using NewAzureADPolicy command as you have shown. But I cannot see the ObjectID it is coming empty for me. I'm using the same version which you mentioned. I also tried the GetAZureADPolicy command I can only see my policy with now ObjectID. Do you have any idea why it is happening for me?
Great video! However, I am wondering if it is possible to create a custom claims with a users manager_email. You can get the information regarding this through Graph, but I have no idea how to write the policydefinition to be able to get this in. Do you know how?