Unable to add additional claims in Token configuration Azure Authentication

I want to add "On-premises SAM Account Name" in the token claim. But I am not getting this option in "Token Configuration" tab. This is for an Angular application with .NET core 8 API.

We have tried the following, but none of it helped

1. Added optional claim to "Manifest"

"optionalClaims": {
...
    "accessToken": [
        {
            "name": "onPremisesSAMAccountName",
            "source": "",
            "additionalProperties": []
        }
    ]
...
}

2. We changed "acceptMappedClaims" to true in the Manifest.

3. We tried with the extension attribute like extension_xxxxxxxxx_AttributeName in the Manifest.

I do not have the complete access to azure portal (as I am not the admin). The admin has confirmed that the "on-premises SAM Account Name" is in sync with Azure from local Active directory.

Question

1. What are the correct steps to get the claim in the token?
2. Is the property name/syntax incorrect?

References

1. Adding custom claims to access token issued by Azure ad
2. Trouble with extension attributes when pulling AAD user data in powershell

You can display onpremisessamaccountname in the access token.

To do it, you need to configure the Azure AD policy:

# Uninstall-Module AzureAD 
# Install-Module AzureADPreview 
# Import-Module AzureADPreview 
# Get-Module -Name AzureADPreview

Connect-AzureAD
 
$Definition = [ordered]@{
    "ClaimsMappingPolicy" = [ordered]@{
        "Version" = 1
        "IncludeBasicClaimSet" = $true
        "ClaimsSchema" = @(
            [ordered]@{
                "Source" = "user"
                "ID" = "onpremisessamaccountname"
                "JwtClaimType" = "onpremisessamaccountname"
            }
        )
    }
}
$pol =  New-AzureADPolicy -Definition ($definition | ConvertTo-Json -Depth 3) -DisplayName ("Policy_" + ([System.Guid]::NewGuid().guid) + "_" + $template.Values.claimsschema.JwtClaimType) -Type "ClaimsMappingPolicy"

Now assign this policy to the Service Principal:

$entApp =  New-AzureADApplication -DisplayName  ("RukClaimsDemoApp_" + $template.Values.claimsschema.JwtClaimType)
$spnob =  New-AzureADServicePrincipal -DisplayName $entApp.DisplayName -AppId $entApp.AppId 

Add-AzureADServicePrincipalPolicy -Id $spnob.ObjectId -RefObjectId $pol.Id 

Get-AzureADServicePrincipalPolicy -Id SPNObjectID

In the Manifest, update the below:

"acceptMappedClaims": true,

"requestedAccessTokenVersion": 2

• Make sure to generate the access token by passing the API scope as api//xx/.default to display the custom claim in access token:

API permissions:

• Make sure to pass scope as api://ClientID/.default to generate the access token.
• After generating the access token, you will see the**onpremisessamaccountname** as claim.

Otherwise, if still the issue persists, you can go to Enterprise application -> Search your application -> Single Sign on -> Under Attributes & Claims, select Edit -> Add new claim -> Under Source, select Attribute and choose user.onpremisessamaccountname -> Save:

This will directly add the claim in the access token without any policy.

All these actions require admin access.

Reference:

inlcude onpemise samaccount in azure ad claims - Microsoft Q&A by soumi-MSFT