azure AD, How to add user claims for OIDC /userinfo request

Question

I'm implementing a new "registered" application in Azure AD for which i need to get the user's Samaccountname value as preferred claim during the user authentication process. The apps can work with oidc request, so i'm trying to find a way to add a new claim in the user's profile (get https://graph.microsoft.com/oidc/userinfo ) containing the SamaccountName attribute "extension_cda8b3eafdfb4aa0b27ca9860634fd74_sAMAccountName" synchronized from local active directory. unfortunately after many research and testing, I can't find a way to achieve this. would appreciate any experience on this topic, thanks

Before I've explored the claim mapping policy technique ( https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping ), creating and returning a custom claim in the identity token, as the apps can implement Oauthv2 as well. However I haven't any flexibility in the apps to change the list of claim i can read from the token (hard coded). this flexibility is only given through the oidc configuration, where i can select the preferred claim.

Answer 1

Per my understanding, you want to add custom attribute Samaccountname into Azure AD.

You should use Azure AD Graph API to implement it:

POST https://graph.windows.net/contoso.onmicrosoft.com/applications/269fc2f7-6420-4ea4-be90-9e1f93a87a64/extensionProperties?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1Qi...r6Xh5KVA

{
    "name": "Samaccountname",
    "dataType": "String",
    "targetObjects": [
        "User"
    ]
}

Use Azure AD Graph Explorer to have a quick test with it.

See details here .

Please note that this API only supports v1.0 Azure AD app (doesn't support personal account).

Besides, Microsoft strongly recommends that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. For how to add custom attribute to Azure AD user with Microsoft Graph API, please refer to: Add custom data to users using open extensions .

---

UPDATE:

I'm sorry for the delay. Please never add an answer when it is not one. You can edit your question to update your post.

"extension_cda8b3eafdfb4aa0b27ca9860634fd74_sAMAccountName" such format of custom attribute is hosted by Azure AD Graph rather than Microsoft Graph. It's impossible to see the custom attribute through Microsoft Graph.

You could call AAD Graph API endpoint to get the expected custom attribute:

GET https://graph.windows.net/myorganization/users

Have a quick test in AAD Graph Explorer .

Answer 2

many thanks, however I realize my quesiton was confusing.In my case the samaccountname extension attribute is already existing from the onpremise Adconnect synchronization. where PS C:\Users\HEDEP> (Get-AzureADUser -ObjectId $UserId).ToJson() you get something like among the list: "extension_cda8b3eafdfb4aa0b27ca9860634fd74_sAMAccountName": "sac_user" My apps is using https://graph.microsoft.com/oidc/userinfo to get the user claim, but looking at the returned values, it seems very limited and static: { "sub": "S3FAHBnY4Crv4MA-t8DFIYcUYV6EamxbkD1iAqMBvBg", "name": "aaa bbb", "family_name": "bbb", "given_name": "aaa", "picture": " https://graph.microsoft.com/v1.0/me/photo/ $value", "email": "vv@aa.onmicrosoft.com" So i'm wondering if there is a way to add the samaccountname extension in this list( or indirectly the samaccountname value) to make it available for the apps, which parameter influences this list of claims? is there room for customization?.; Hope it can help to better understand my question.