Custom SAML claim configured in multitenant Azure AD app is not copied to this app in another tenant
We are authenticating users of our application using WS-Federation. Up to now, we used single tenant app, created in Azure AD via App registration. Our application expects to get user.employeeid attribute as a SAML claim, and it is configured in a corresponding app in Enterprise applications blade (Single sign-on > Attributes & claims). In app manifest (in app registration), acceptMappedClaims is set to true, to make this work.
Above configuration works perfectly, and now we want to switch to multi-tenant, and in the application code we set valid issuers to tenants AAA and BBB, where AAA is the original one.
When I sign in as a user from BBB, after I consent the app, employeeid claim is not returned. When checking the enterprise app, which was created in BBB after consent, I see that the custom claim is missing, and I have to manually add it. After that, it works perfectly.
Adding the claim manually is not a big problem for me, but I'm curious if it does work that way by design? Do I have to manually add such claims by hand to each tenant which I want to grant access, or maybe I'm missing something, and there is a way to copy such custom claims automatically?
I created an Azure AD Multitenant Application:
Configured SAML claims:
When I signed in with the home tenant user, the claim is displayed like below:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=https://jwt.ms&scope=api://xxxx/access_as_user&state=12345&nonce=12345
When I signed in with the other tenant user, the access token did not contain the SAML claim:
Note that: By default, custom claims are tenant specific. If the claims are configured in the tenant A application, then only the claims will be added for tenant A users not other tenant users.
- The custom claims that you have configured in one tenant might not be available in another tenant since each tenant has its own set of claims and attribute mappings.
Hence you had to manually add the claims in the Enterprise application created in the other tenant and it cannot be automated.
I added the custom claim in the Enterprise application created in another tenant:
Now when I tried to sign-in with another tenant user, the access token contains SAML claim:
- Create Azure Key Vault backed secret scope in Databricks with AAD Token
- C# Graph api SDK V5 - Add User to multiple Groups
- Microsoft Azure doesn't return email via Oauth2 flow
- Sign in to Azure Account from VS Code
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?
- Dotnet-Isolated Azure Functions - how to access HttpContext
- vscode-remote-ssh does not work with SSH using Azure AD authentication
- Implementing SSO for Azure AD B2C
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Azure AD client credentials generated token does not have claims (EDITED)
- Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails
- Correlation failed in net.core / asp.net identity / openid connect
- Generating token for Fabric Rest api using client secret
- Permission based access control using Entra ID with ASP.NET core
- How do I display Job Title in my Next Auth app
- EntraId Authentication / Authorization via .NET & React
- Azure Function app down due to wrong routing template in http trigger binding of a functions
- How can I force trigger MFA, when logging into Azure?
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- azp Claim Missing from Azure AD JWT
- Retrieve all Users from all Groups?
- Cannot get AAD auth token in Logic Apps
- Attempting to set DisableCustomAppAuthentication to false for Azure not working from Powershell
- Using Azure Entra Id I cant see `Office 365 Exchange Online` under `APIs my organization uses`
- New tenant b2clogin URL returns error with "removed or changed"
- Azure Entra ID tokens endpoint issues an expired token
- Azure AD B2C password expiration
- Trouble when creating PowerBI report via JavaScript Client Library
- Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)