Get Job title, Department and Manager ID from Azure AD in Claims

0
votes

I am using Azure AD application with Azure B2c. As per the official Microsoft document, we can get additional claims using Azure AD policy. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

I managed to get JobTitle using this approach, however, the department and mobilePhone fields are always empty. Below is the PowerShell script that I use to create AD claim mapping policy.

$claimsMappingPolicy = [ordered]@{
    "ClaimsMappingPolicy" = [ordered]@{
        "Version" = 1
        "IncludeBasicClaimSet" = $true
        "ClaimsSchema" = @(
            [ordered]@{
                "Source" = "user"
                "ID" = "JobTitle"
                "JwtClaimType" = "JobTitle"
            },
             [ordered]@{
                "Source" = "user"
                "ID" = "Department"
                "JwtClaimType" = "Department"
            },
             [ordered]@{
                "Source" = "user"
                "ID" = "MobilePhone"
                "JwtClaimType" = "MobilePhone"
            }
        )
    }
}


$appID = "Azure AD App ID" 
$policyName = "ClaimsMappingPolicy"

$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
 
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
                    | Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
    $existingPolicies | Remove-AzureADPolicy
}
 
$policyDefinition = $claimsMappingPolicy | ConvertTo-Json -Depth 99 -Compress
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
 
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Write-Output ("New claims mapping policy '{0}' set for app '{1}'." -f $policy.DisplayName, $sp.DisplayName)
2
azure-active-directorysingle-sign-onazure-ad-b2cclaims
Do you mean to get JobInfo(jobTitle, department, manager id) of the user? Navigate to Azure Active Directory->Users->Job info in the portal. - Pamela Peng
Please let us know if one of the below answers was helpful to you. If so, please remember to mark it as the answer using the check mark so that others in the community with similar questions can more easily find a solution. Also, Please spare few mins to let us know how we did using this link <microsoft.qualtrics.com/jfe/form/… > - Nishant

2 Answers

0
votes

MobilePhone is not available as an optional claim or trough Claims mapping policy. JobTitle and Department are. For access tokens ensure you targeting your own application as resource. EG:

https://login.microsoftonline.com/{tenant}/oauth2/authorize?client_id={app id}&resource={app id}

Or

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={app id}&scope={app id}/.default

0
votes

First, you have to obtain an access token, then call MS Graph API. You could execute this query.

# login
Connect-AzAccount

# get accessToken
$resource = "https://graph.microsoft.com"
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$accessToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $resource).AccessToken

# URL of request REST API
$user_id = "{id | userPrincipalName}"
$manager_uri = "https://graph.microsoft.com/v1.0/users/" + $user_id + "/manager"
$other_uri = "https://graph.microsoft.com/v1.0/users/" + $user_id + "?$select=displayName,jobTitle,department,mobilePhone"

# get user's manager
Invoke-RestMethod -Method 'Get' -Uri $manager_uri -Headers @{ Authorization = "Bearer " + $accessToken }

# get displayName,jobTitle,department
Invoke-RestMethod -Method 'Get' -Uri $other_uri -Headers @{ Authorization = "Bearer " + $accessToken }

You will get information from Azure Active Directory->Users in the portal.

enter image description here

Also, you could test the response in https://developer.microsoft.com/en-us/graph/graph-explorer.

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/manager
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,jobTitle,department,mobilePhone