Adding custom attributes to the Azure AD OpenID Connect ID Token

The following contains a quick reference for how to extend the OpenID Connect ID Token that we created in this blog post with additional attributes.

Start by modifying the manifest of the app registration, changing “acceptMappedClaims” to true.

Second, add a new Azure AD Policy with the actual claims mapping using PowerShell cmdlet New-AzureADPolicy:

Connect-AzureAD
$servicePrincipal = Get-AzureADServicePrincipal -SearchString "Our Demo App"


$definition = @(
    '{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [
        {"Source":"user","ID":"jobtitle","JwtClaimType":"jobtitle"},
        {"Source":"user","ID":"department","JwtClaimType":"department"},
        {"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"uid"},
        {"Source":"user","ID":"mailnickname","JwtClaimType":"mailnickname"}
    ]}}'
)
$Policy = New-AzureADPolicy -Definition $definition -DisplayName "DemoApplicationClaimsMappingPolicy" -Type "ClaimsMappingPolicy"

<#
Or if you need to update the policy:
Set-AzureADPolicy -Id $Policy.Id -Definition $definition
#>

Add-AzureADServicePrincipalPolicy -Id $servicePrincipal.ObjectId -RefObjectId $Policy.Id

Signing in after this, requesting an ID token (see this blog post for these details), jwt.ms helps us see that we indeed get our additional attributes as claims in the ID Token:

Good luck 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s