Custom Claims in Azure Active Directory | Claims Mapping Policy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys hope you all doing well welcome back to our series of Azure Active Directory and in this video we are going to talk about how to customize claims that are present in a specific token now there is a very specific reason for mentioning ID token here because the sample application I'm going to use in that application open ID Connect is implemented as an authentication protocol so the entire agent of this video will be knowing how to create claims mapping policy to send custom claims and then we'll track the authentication token with the help of Fred ler and we'll march both the token the first one without the custom policy and the other one was the custom policy and then we'll match what is the difference in terms of claims that are present in both the token now one of the reference uses that I have tried mentioning here which make you guys relate what exactly we are going to do if you remember in a DFS we were adding custom claims right so if you remember in a DFS for every application there is a relying party trust and for every relying party trust you can create custom claim rules likewise for my first application I will only send the user principal name similarly for the second application I will only send display name and for my third application I may be sending Department so this process which we were doing in a DFS is the same thing which we are going to do in already we are going to issue a token that will contain custom claims and that to application is specific now here in area fess you were creating custom claim rules whereas in Azure ad you have policy so there is a policy that exists by default for every tenant that includes a specific token type but similarly you can create custom policies wherein you can add different claims and then those claims we'll be added in the token which your as your ad is sending to the application so in a nutshell if your application is contacting as your ad and there is no custom policy that exists as of now by default the default policy which exists in Azure ad will embed or will encode the required claims and the token and then as your ad will send that token to your application now if we talk about default policy there are three types of claim sets which are available the first one is core claim said that means which will be available in the token even if you create custom policy then also there are certain claims which will be available in the token then there is basic claim set one of the example is named claim it will be there in the token by default but if you want you can remove it and then we have restricted claim set that means some of the claim types that can not be customized with any of the policy so this is how a typical jot token looks like which will be issued by our ad so if we talk about basic claim set the name John falls under the category of basic claim set which can be either included or removed in a particular token which our ad is issuing to an application but if we talk about most of the attributes which are as of now listed in this token they are restricted claim set that means they can not be transformed or there is no customization that can be applied to this particular token or these particular set of claims because these are named as restricted claim set now there is official document for this and all these attributes are listed in that document as well as their type is also defined so I will be sharing that article in the description section if you guys want you can review that particular article now our next step is to check the authentication without any custom policy and see what all claims we are getting so for this particular video I have already created an application that exists in one of my VMs and what we will do is we'll launch that particular application and then we will try to sign into this particular application and at the same time we will also take failure trace now those of you who don't know how to take a fiddler trace there is a series in the channel named ask protocols in which I have covered WS fed and sam'l in a lot more detail and I have explained how to capture fiddler or how to download friendlier what are the settings required after this video if you really want to reproduce everything that I'm showing right now just go ahead watch those videos get the fiddler downloaded and in my next video since I will be sharing the guide how to create a sample app once you will watch all these videos you'll come to know how to have an application and how to track the traffic with the fiddler trace as of now just see the difference in terms of the claims which are getting added in a particular token now at times this application which exists on Visual Studio does take some time so don't worry because this is something which is getting executed on your local machine itself so as of now as you can see my application is opened and if I click on sign-in with Microsoft I will be signed in to this application now in the meanwhile I am signing in to this particular application what's happening as your ad is as of now using the default policy to generate a token for this particular application now once the token is been posted to the application I will be able to view the home page but now if I come back to my fiddler and I go to the frame where the token has been redirected to the application and if I copy this value from here now what I'll do is I'll open the web page where and I will go to JWT dot ms and i will paste this value here now as of now you can see i am getting the same token which i was showing you in the example and now if I paste this in a notepad what I will get is the set of information likewise what our basic claim said what are restricted claim said so this is how this token looks like and as you can see name is shown which is a part of basic claim set and all these are restricted claim set so now the next step is to create a policy map that to my application and then see whether there is any difference that we get in the token or not so if I go back to my browser where I'm signed in as global admin this is the application which I have added and we are doing all the customization for this particular application ok and the process that I have followed to add this application was the option of app registration where and I have selected an app that I am developing so it's a custom app that belongs to this particular directory now in order to create a policy that can send custom claims there is a specific version of azure ad powershell required so the first thing that you have to do on your machines PowerShell is just run this command which is get - module - list available name as your ad preview and then you have to make sure that you have this particular version of model available on your machine because there was slightly you know there were some issues what one of the modules which was released for our ad preview on these policy c'mon were not working so if that is the case with you just make sure that you have this particular version and everything will be in place now since you know that which version you need then what you can do is you can type this particular command and the required version will get installed on your particular machine now since in my case this module is already installed that's why it is getting listed over here so I will not install it I will just remove this command and then I will type CLS and now once you have installed as your ad module all you have to do is type connect - ah jour 80 now on this particular window what you have to type is your global admin credential because you are creating a policy for your tenant now once I will type my username and password then I will be able to create a custom policy and I will not that policy with one of my service principle object and the service principle object is the same application which I have shown you in the portal so the command that you have to run is new - azure ad policy and then this definition as of now to include employee ID claim now let me tell you guys what an all happening as of now I am going to create a new RJD policy that's a claim mapping policy and what I have said that include basic claim set now if you guys remember on this particular token I was getting name because name is basic claim set ok now if I set this value to false or let's just set this value to false to show you guys that how you can remove the basic claim said ok I'm setting this value now to false now the expected behavior is that when we will try to sign in we should not get the name attribute value the next thing what I'm saying is that a new claim has to be introduced and that - it belongs to a user the value of the attribute that needs to be queried is employee ID but well that value is send in the token it has to be named something like this okay and this employee ID that you see here as of now is the name of this particular policy that we are creating okay so this is all what going to happen with this particular policy once this policy is created right then we will map this policy with our service principle now why we are mapping with the service principle object because we are making customization only for one single application so that means what the kind of configuration that we have done should only impact this particular application which is open ID - connect right only for this application the employee ID attribute should be included in the token now the next command that you have to run is get - azure ad service principle - search string let's type the name of your application now you have the application object ID and then you have the object ID of the policy that you have created so now what I'll do is I will type ad - azure ad Service principal policy - ID now this requires the object ID of your service principle which I'm going to paste now you have a reference object ID that will be the ID of your policy now that's all you have to do as of now to make sure that you get a claim name - employee ID underscore JWT claim in the token which is as your ad is now going to issue for this particular application so now the next step is to switch back to the same machine where we have our application clear the Fiddler's trace track the new token and let's see whether we are getting the respective claim or not in the meanwhile I'll just initiate a sign out from this particular application so that it should be a new signing request so now I'm going to click on close I'm again going to clear my fiddler and I'm going to launch the application now again at this time what is the expected behavior is that when we will decode the token that we are getting now for this new fresh authentication it will contain the employee ID attribute now there is one more thing which is very common and I would like to let you know guys that even if you have the policy in place your configuration is perfect but still if you are not getting a specific token or a specific claim in a token then what you also have to make sure that at the user object level that attribute must contain value so to answer this a null valued attribute is never added in a token you will never see a claim getting mentioned in a token which will say employ ID dollar null it will never happen in a token so now as you can see I'm getting the prompt to enter my password on the moment I will click on sign in I will get a new token which we will decode and check whether the employee ID attribute is mentioned or not so I'll go to the frame where I will get the token I will copy this and now I will come back to my browser where I have signed an ass GA on the third tab is the one where we will be decrypting this new token and as you can see it is showing here employee ID in the score dot claim one two three four five six now if you see this is the same name which we have defined now is one more thing which I can show you guys quickly and that is graph dot Microsoft comm and then you can click on graph explorer sign in with Microsoft and choose the same account with which you assigned and as of now and then over here select beta and then change here as well and instead of me type users and here just paste the object ID of the user for which you're trying to get the token now the reason behind showing you guys how to run this particular query because as I've said before if I will remove a particular value from an attribute or if I'm choosing an attribute for which the users value is not populated so as of now if you can see that there are many attributes which are null as of now right so if I'll try to create a custom policy for these claims they will not be present in the token so a null valued attribute is never present in the token so as you guys can see that there are lot more things you know which we can learn from an application perspective and from the authentication perspective this video was just to show you guys what all customization can be done for a particular application when it comes to the tokens which are getting included but now lately as per the request which we have received we are starting something when we have the membership program on our channel so if you want to learn advanced troubleshooting of our ad please join our Channel and we have already initiated posting videos for that as well now this doesn't mean that I'm going to stop posting videos here I will in the videos as it was before it's just that ask for the request which I was getting on our community post I have added a couple of videos which are more relative in terms of explaining how things are working under the hood so this was all about knowing how you can customize the claims which are available in the token and how to track Fidler authentication in the next video we are going to talk about how to register an app in your portal because there is a new experience which has been introduced thank you so much guys thanks for your time if you have learned something new please feel free to subscribe if you want to get the access of the member exclusive content please join our channel thank you so much thanks for your time
Info
Channel: Concepts Work
Views: 9,032
Rating: undefined out of 5
Keywords: Azure Active Directory, Authentication, Azure AD, Azure Custom Claims, Azure Authentication
Id: 4wmKLAPvU6c
Channel Id: undefined
Length: 18min 40sec (1120 seconds)
Published: Mon Apr 20 2020
Related Videos
How to integrate applications with Azure Active Directory
Microsoft Azure
53K
Azure AD Sample Application | Custom Claims with Extension Attributes
Concepts Work
2.9K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
Managed Identities with Azure AD (Active Directory) Tutorial
Adam Marczak - Azure for Everyone
57K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.