How to add optional claims to Azure Active Directory

1
votes

We are working on authenticating a C# MVC Web API, following the "Daemon or Server Application to Web API" model and we would like to add some custom claims to the token issued by Azure Active Directory to be validated in the Web API side.

Our initial thought is to 'add' these optional claims to the Daemon application by editing the manifest, but we could not find a good exemple and we get errors when saving it.

Manifest

Is there anyone that could provide us a good example of how to add this custom claims?

Or even better, Is there any other idea about how to add these custom claims?

3
azureazure-active-directoryacs
First, you cannot achieve this by editing Manifest. Manifest can't be changed with wrong changes. Also, if you want to claim tokens, you need to refer to this document:docs.microsoft.com/en-us/azure/active-directory/develop/…Wayne Yang
Thanks Wayne. This link explain the claims format, but where can I set these claims permanently? I would like that everytime Daemon app calls my Web API the custom claims are includend in the token. In the example, I can see the default 15 claims provided by AD, but no way to add the custom ones as I could do with ACS.jmascaro

3 Answers

1
votes

The only way I found out to include non basic claims is by Claims mapping policy assignment as described here: Claims mapping in Azure Active Directory

For example to add the department field from an AAD user additionally to the basic claims set in the token you have to create a policy:

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"department","JwtClaimType":"department"}]}}') -DisplayName "ExtraClaimsExample” -Type "ClaimsMappingPolicy"

and then assign it to the service principal of your AAD application:

Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

Read the linked Microsoft doc for more details.

1
votes

Please see the documentation on optional claims here - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

You can use the UX or manifest editing to add claims that are not usually included in tokens.

Please consider having the rest of the answers on this page erased as they are incorrect and give false information.

0
votes

Looks like it's not possible with OptionalClaims as that property is not in a list, but I have found this solution:

https://securecloud.blog/2019/06/06/add-samaccountname-to-azure-ad-access-token-jwt-with-claims-mapping-policy-and-avoiding-aadsts50146/

You have to create ClaimsMappigPolicy in your Azure AD and assign it to your application.