Adding Claims in Azure AD v2 id_token

Q

How to include additional claims in Azure AD v2.0 id_tokens?

✍: FYIcenter.com

A

If you want to include additional claims in Azure AD v2.0 id_tokens, you need to modify your application registration in Azure AD.

1. Log in the Azure portal.

2. Select the Azure Active Directory service, and then select App registrations or App registrations (Preview).

3. Select the app you want to configure.

4. From the app's Overview page, select the Manifest section. A web-based manifest editor opens, allowing you to edit the manifest within the portal.

5. Find the "optionalClaims" root level property. Or add it if not exists. The structure of the "optionalClaims" property is like the following example of including "email" claim in the id_token claim:

...
	"oauth2RequirePostResponse": false,
	"optionalClaims": {
		"idToken": [
			{
				"name": "email",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [],
		"saml2Token": []
	},
    "orgRestrictions": [],
...

You can add any of the following optional claims:

ipaddr                    Client IP Address
onprem_sid                On-Premises Security Identifier                  
pwd_exp                   Password Expiration Time
pwd_url                   Change Password URL     
in_corp                   Inside Corporate Network
nickname                  User Nickname   
family_name               User Last Name  
given_name                User First name 
auth_time                 Time of last authentication
tenant_region_scope       Region of the resource tenant
home_oid                  Object ID of the user in home tenant.
sid                       Session ID
platf                     Device platform
email                     User's email address
verified_primary_email    User's first verified email address
verified_secondary_email  User's second verified email address
enfpolids                 Enforced policy IDs
vnet                      VNET specifier information.
fwd                       Forward IP address
ctry                      User’s country 
tenant_ctry               Resource tenant’s country
xms_pdl                   Preferred data location
xms_tpl                   Tenant preferred language
ztdid                     Zero-touch Deployment ID
acct                      Users account status in tenant
upn                       UserPrincipalName claim

 

Validate Azure AD v2 id_token

Azure AD v2 id_token Is Smaller

Azure AD Integration v2.0

⇑⇑ OpenID Tutorials

2019-03-27, 259👍, 0💬