Enterprise Mobility and Security Blog

RSS

Howdy folks,

Here’s one of the most common pieces of feedback we get from customers using Azure AD:

“My users are already using the app, and their username isn’t their email address or user principal name. It’s a custom ID that we defined, and I need to get Azure Active Directory to send that value.”

Sound familiar?

If so, I’m happy to announce that our claims editor for gallery apps has been enhanced to allow the selection of extension attributes as the unique user ID.

What is the claims editor?

The claims editor is a user interface in the Azure classic portal that allows you to edit all of the user information (or claims) sent in the SAML tokens to specific apps. This includes the “nameidentifier” claim, which is the one that uniquely identifies the user.


This editor is available for all pre-integrated and custom apps added from the Azure AD application gallery, and can be found under the Attributes tab. The claims editor is described here:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-saml-claims-customization/

What are extension attributes?

Extension attributes are user attributes in Azure Active Directory that can be populated using Azure AD Connect. Any attributes stored in on-premises Active Directory can be mapped to these extension attributes, and commonly these can include custom identifiers like the Employee ID mastered in the organization’s HR system.

These extension attributes appear in Azure Active Directory as ExtensionAttribute1 though ExtensionAttribute15. Once synced to Azure AD, you can see and select these extension attributes as the “nameidentifier” claim in the claims editor:


Storing the HR Employee ID in an extension attribute is a very common use case, and virtually any user ID value required by an application can be created in on-premises Active Directory and mapped to an extension attribute using AAD Connect.

I hope you’ll find this new capability useful! And as always, we would love to hear any feedback or suggestions you have!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division