User attributes and claims in azure ad

Your Azure Active Directory Azure AD B2C directory user profile comes with a built-in set of attributes, such as given name, surname, city, postal code, and phone number. You can extend the user profile with your own application data without requiring an external data store. You should not use built-in or extension attributes to store sensitive personal data, such as account credentials, government identification numbers, cardholder data, financial account data, healthcare information, or sensitive background information.

You can also integrate with external systems. For example, you can use Azure AD B2C for authentication, but delegate to an external customer relationship management CRM or customer loyalty database as the authoritative source of customer data.

For more information, see the remote profile solution. The table below lists the user resource type attributes that are supported by the Azure AD B2C directory user profile. It gives the following information about each attribute:.

Azure AD B2C extends the set of attributes stored on each user account. Extension attributes extend the schema of the user objects in the directory. The extension attributes can only be registered on an application object, even though they might contain data for a user.

The extension attribute is attached to the application called b2c-extensions-app. You can find this application under Azure Active Directory App registrations.

Configure group claims for applications with Azure Active Directory

Skip to main content. Contents Exit focus mode. Important You should not use built-in or extension attributes to store sensitive personal data, such as account credentials, government identification numbers, cardholder data, financial account data, healthcare information, or sensitive background information.

Note Up to extension attributes can be written to any user account. If the b2c-extensions-app application is deleted, those extension attributes are removed from all users along with any data they contain. If an extension attribute is deleted by the application, it's removed from all user accounts and the values are deleted.

You use the underlying name when you run Graph API queries to create or update user accounts.

user attributes and claims in azure ad

Is this page helpful? Yes No. Any additional feedback?

user attributes and claims in azure ad

Skip Submit. Submit and view feedback for This product This page. View all page feedback. Whether the user account is enabled or disabled: true if the account is enabled, otherwise false. Whether the consent has been provided for a minor. Allowed values: null, granted, denied, or notRequired. Example: "US" or "UK". Max length Read only. Legal age group classification. Read-only and calculated based on ageGroup and consentProvidedForMinor properties.Apps are often said to be claims-aware, or claims-based, and often not much more explanation is given.

But what does this mean? The short answer is that claims are in most cases the same as an attribute or property of the user object. For instance the user Bob could have a claim with the name "email" and the value "bob contoso.

The way the claim is a part of the user object depends on the type of solution you are working on. If you are creating a line of business app which will run in an on-prem environment in close proximity to a farm of domain controllers maybe you don't use claims as part of the login process. Maybe you perform authentication to authorize the user, but whenever you need to know something about the user you make a direct query against Active Directory.

If you were to sign in to your mobile operator's end-user portal however you probably would not be in their Active Directory, and the phone number is possibly stored in the token you receive upon signing in. You should restrict yourself to key pieces of info needed directly in the app, or attributes commonly used for enabling other lookups.

An example of using claims for looking up other info would be the example of the mobile operator login. You as a user consider the phone number to be the identifier, but the mobile operator might not use that as an identifier because there are multiple levels in the hierarchy that you don't see.

This could be how a phone number might have one user as the end-user, whereas a different entity user or company might be the legal owner of the subscription. And a subscription might have more than one phone number in case you have a separate sim card for data traffic on a tablet. This means that there could very well be a chance they are using an id that means nothing to you, but would be very relevant for the web app to have knowledge of.

So behind the scenes that id is stored in a claim. Note that this identifier is not something kept secret from you, there's just no intrinsic value for you to be aware of it. Or take a video streaming app that works in multiple countries. When you sign up your country is returned in a claim, so that when you initiate streaming the app contacts servers specific for that country.

This is a hypothetical use case; this is not how a global streaming company would do it - Content Delivery Networks are more likely to be involved to solve this in a good manner. In an enterprise setup were everything is running in the same datacenter, and everything is behind the same firewall, and controlled by the same people one could argue that it's not as important.

The developer might be able to solve the use case with or without the use of claims. When you start developing apps that work across multiple tenants, and possible federating with other identity providers, things get more complicated. Let's say you have a web app that offers login through Facebook.

It's perfectly valid to not implement a user management system of your own, and rely on third-parties, but it would still be required to know something about the user. For instance the web app could use johndoe facebook. Facebook would certainly have both your given name and surname stored in their records. But they wouldn't allow other apps than their own to tap directly into that database.

This is solved by adding claims to your token when logging in. The web app can then use these properties without ever having access to your entire Facebook profile. The challenge with integrating identity providers and using the claims provided is that there is no standard for what you can expect to get.

Facebook might be ok with returning claims that Google do not provide, and vice versa. This means that if you are implementing an app you should always check to see that you get the info you need from the identity providers you support. As an end-user it can also be a confusing experience. Using a Google account might be very convenient for signing in, but Google might know a lot about you, and you might not want to share all of that with a third-party.Azure Active Directory can provide a users group membership information in tokens for use within applications.

Two main patterns are supported:.

Azure-70-533-Video-48-Configure SAML based single sign on for an application with Azure AD.

Many applications configured to authenticate with AD FS rely on group membership information in the form of Windows AD group attributes. An app that has been moved from AD FS needs claims in the same format. They aren't available on groups created in Azure Active Directory or Office Applications configured in Azure Active Directory to get synced on-premises group attributes get them for synced groups only.

Applications can call the MS Graph groups endpoint to obtain group information for the authenticated user. This call ensures that all the groups a user is a member of are available even when there are a large number of groups involved. Group enumeration is then independent of token size limitations. However, if an existing application expects to consume group information via claims, Azure Active Directory can be configured with a number of different claims formats.

Consider the following options:. Group membership claims can be emitted in tokens for any group if you use the ObjectId format.

user attributes and claims in azure ad

Synchronize group names from Active Directory Before Azure Active Directory can emit the group names or on premises group SID in group or role claims, the required attributes need to be synchronized from Active Directory. You must be running Azure AD Connect version 1. Earlier versions of Azure AD Connect than 1. Upgrade to the current version.

Configure the application registration in Azure Active Directory to include group claims in tokens Group claims can be configured in the Enterprise Applications section of the portal, or using the Application Manifest in the Application Registrations section. Only groups synchronized from Active Directory will be included in the claims.

To emit only groups assigned to the application, select Groups Assigned to the application. Groups assigned to the application will be included in the token. Other groups the user is a member of will be omitted. With this option nested groups are not included and the user must be a direct member of the group assigned to the application. See the document Assign a user or group to an enterprise app for details of managing group assignment to applications.

Customize the name of the group claim: If selected, a different claim type can be specified for group claims. Enter the claim type in the Name field and the optional namespace for the claim in the namespace field.

Some applications require the group membership information to appear in the 'role' claim. You can optionally emit the user's groups as roles by checking the 'Emit groups a role claims' box.

If the option to emit group data as roles is used, only groups will appear in the role claim. Any Application Roles the user is assigned will not appear in the role claim. To change the group claim configuration click on the group claim in the Additional claims list. Group claims can also be configured in the Optional Claims section of the Application Manifest. By default Group ObjectIDs will be emitted in the group claim value. To modify the claim value to contain on premises group attributes, or to change the claim type to role, use OptionalClaims configuration as follows:.

If you want the groups in the token to contain the on premises AD group attributes, specify which token type optional claim should be applied to in the optional claims section.Is there a specification on what attributes are provided by default?

Thanks for your response. Both of these use SAML. While you can specify attributes in the 'custom app' approach, you have no control over them in the other approach as there is no such option.

User profile attributes

What are the attributes released in the non-custom app approach? It also appears to me that you cannot use the Graph API in the 'custom app' approach as there are no options I may be mistaken here to specify them.

So my other question is 'how do I specify graph api use with the custom app approach'? In Azure AD there are 2 dofferent ways you can integrate the application. When you click on the New Application button in the Enterprise application it will talke you to the App Gallery.

These are all the verified application templates and you can use them as needed. Also to note up to 10 apps per user are free. For Azure AD Premium this is unlimited. Do not use SAML application from there because you cannot customize the claims there.

Ask a question. Quick access. Search related threads. Remove From My Forums. Asked by:. Archived Forums. Azure Active Directory. Sign in to vote. Thanks, Hari. Tuesday, December 8, PM.I have added few custom attributes e. At first glance, the MS Graph Explorer looks like it should work. What you do get if you run the below:. At present, no Office workloads consume these attributes as these are for LOB applications that consume these via the Graph API this is mentioned at the start of the link that you provided.

I forgot to mention that I have already tried in azure graph explorer and MS Graph explorer, however It did not work out! I am still figuring out, which is the right query request to access such custom properties from Azure AD to verify whether it's available, I have tried following URL:. These are 2 different identifiers. Yes, That's absolutely right - I was trying with app ID, now through following request in Azure Graph Explorer, I found out those custom properties names:.

Then, I tried to access them through Microsoft graph Explorer to see values of those properties of specific user as follows:. Actually, value of Service Line for this user in on-premise is "Service Line A" and I want to access the value of this property:.

Note : just for information, value of user in on-premises AD for Service Line attribute as indicated in the screen:. That's odd as it looks like the attribute isn't there. To give any further help, I'd have to set up my own AD and sync it in Do you have any other custom attributes that you can test this with?

The fact that it does not generate an error but returns a blank result indicates that the criteria is not met and therefore the returned result is expected I understand, I have tried with two other attributes with all right queries and parameters and it's still same issue! I am in discussion with Microsoft support team to know root cause of it further! If yes- How? I have set value of custom attributes for one user through Office admin portal as indicated in following screen:.

As you mentioned, Graph API was right, but in my case, it was an issue with attribute synchronization for the "user1" as attributes were not getting updated in Azure AD and therefore, even with right API request, IT was not returning value attributes. The content you requested has been removed. Ask a question.Application developers can use optional claims in their Azure AD applications to specify which claims they want in tokens sent to their application.

While optional claims are supported in both v1. One of the goals of the v2. As a result, several claims formerly included in the access and ID tokens are no longer present in v2. The set of optional claims available by default for applications to use are listed below. To add custom optional claims for your application, see Directory Extensionsbelow.

When adding claims to the access tokenthe claims apply to access tokens requested for the application a web APInot claims requested by the application. No matter how the client accesses your API, the right data is present in the access token that is used to authenticate against your API. The majority of these claims can be included in JWTs for v1. Consumer accounts support a subset of these claims, marked in the "User Type" column.

These claims are always included in v1. Some optional claims can be configured to change the way the claim is returned. This OptionalClaims object causes the ID token returned to the client to include a upn claim with the additional home tenant and resource tenant information. The upn claim is only changed in the token if the user is a guest in the tenant that uses a different IDP for authentication.

Access tokens are always generated using the manifest of the resource, not the client. So in the request Changing the manifest for your application will never cause tokens for the Microsoft Graph API to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app. From the Manage section, select Manifest. A web-based manifest editor opens, allowing you to edit the manifest.

Optionally, you can select Download and edit the manifest locally, and then use Upload to reapply it to your application. For more information on the application manifest, see the Understanding the Azure AD application manifest article.

When finished, select Save. Now the specified optional claims will be included in the tokens for your application.Today, Microsoft identity platform supports single sign-on SSO with most enterprise applications, including both applications pre-integrated in the Azure AD app gallery as well as custom applications. And then, the application validates and uses the token to log the user in instead of prompting for a username and password. These SAML tokens contain pieces of information about the user known as claims.

A claim is information that an identity provider states about a user inside the token they issue for that user. To view or edit the claims issued in the SAML token to the application, open the application in Azure portal.

Select the attribute or transformation you want to apply to the attribute. Optionally, you can specify the format you want the NameID claim to have. If no format is specified Microsoft identity platform will use the default source format associated with the claim source selected. From the Choose name identifier format dropdown, you can select one of the following options.

How to: Provide optional claims to your app

Transient NameID is also supported, but is not available in the dropdown and cannot be configured on Azure's side. You can select from the following options. For more info, see Table 3: Valid ID values per source. You can also assign any constant static value to any claims which you define in Azure AD. Please follow the below steps to assign a constant value:.

Enter the constant value without quotes in the Source attribute as per your organization and click Save. In Manage claimselect Transformation as the claim source to open the Manage transformation page. Select the function from the transformation dropdown. Depending on the function selected, you will have to provide parameters and a constant value to evaluate in the transformation. Refer to the table below for more information about the available functions. To apply multiple transformation, click on Add transformation.

You can apply a maximum of two transformation to a claim. For example, you could first extract the email prefix of the user. Then, make the string upper case. If you need additional transformations, submit your idea in the feedback forum in Azure AD under the SaaS application category.

You can specify the source of a claim based on user type and the group to which the user belongs. One scenario where this is helpful is when the source of a claim is different for a guest and an employee accessing an application. You may want to specify that if the user is an employee the NameID is sourced from user. The order in which you add the conditions are important.