Streamlining User Identity with Attributes and Claims Azure AD

Attributes and claims are the building blocks of user identity in Azure Active Directory (Azure AD). Attributes are key-value pairs that describe a user, while claims are attributes that are used to make authorization decisions.

Azure AD provides a wide range of attributes that can be used to describe users, including their name, email address, and job title. These attributes can be used to create custom user profiles and to make informed decisions about user access.

Claims are used to make authorization decisions in Azure AD. They are attributes that are evaluated against a set of rules to determine whether a user has the necessary permissions to access a particular resource.

A fresh viewpoint: Azure Ad Update User Attributes Powershell

Azure AD User Management is a vital aspect of any organization's identity and access management strategy. User management involves creating, editing, and deleting user accounts, as well as managing user permissions and access to resources.

With Azure AD, you can create user accounts in bulk using CSV files, making it easier to onboard new employees. This feature is particularly useful for large organizations with many new hires.

Related reading: Azure Ad Connect Move to New Server

User attributes, such as department and job title, can be used to create groups and assign permissions in Azure AD. For example, you can create a group for all employees in the sales department and assign them access to specific resources.

Azure AD also supports custom attributes, which allow you to store additional information about your users. This can be useful for storing information such as employee ID numbers or emergency contact details.

User claims, which are used to represent user attributes as a token, can be used to grant access to resources. For example, a user claim can be used to grant access to a resource based on their job title.

Azure AD's user management features are also integrated with other Microsoft services, such as Office 365 and Intune. This makes it easier to manage user access and permissions across multiple services.

A fresh viewpoint: Azure Ad Sso Saml Example

Password and MFA settings are crucial for securing your Azure AD B2C environment. The Azure AD B2C password policy is based on Microsoft Entra ID's strong password strength policy.

You can disable the strong password requirement if the accounts you want to migrate have weaker password strength. To do this, set the passwordPolicies attribute to DisableStrongPassword.

Azure AD B2C sign-up or sign-in and password reset policies require strong password strength, and passwords don't expire by default.

If this caught your attention, see: How to Change Azure Password

Password requirements vary depending on the type of identity. For local identities, the passwordProfile attribute is required and contains the user's password.

A local identity requires a password reset at the next sign-in if the forceChangePasswordNextSignIn attribute is set. This means you'll need to handle a forced password reset using the instructions in the set up forced password reset flow.

For federated identities, the passwordProfile attribute isn't required. This means you don't need to worry about password resets for social identities.

Azure AD B2C has a strong password strength policy based on the Microsoft Entra ID strong password strength policy. This policy requires strong password strength for sign-up or sign-in and password reset policies.

If you're migrating accounts with weaker password strength, you can disable the strong password requirement by setting the passwordPolicies attribute to DisableStrongPassword.

Intriguing read: Password Writeback Azure Ad

To add a new phone number for multifactor authentication (MFA), update, get, or delete the phone number, use the MS Graph API phone authentication method. This method allows you to verify user identity using their mobile phone.

In Azure AD B2C custom policies, the phone number is available through the strongAuthenticationPhoneNumber claim type. This claim type provides access to the phone number for MFA purposes.

The mobile phone is used to verify user identity when using MFA.

Intriguing read: Mfa Azure Ad

You can write up to 100 extension attributes to any user account. If the b2c-extensions-app application is deleted, those extension attributes are removed from all users along with any data they contain.

Extension attributes in the Graph API are named by using the convention extension_ApplicationClientID_AttributeName, where the ApplicationClientID is the Application (client) ID of the b2c-extensions-app application.

The Application (client) ID when used to create the name of the extension attribute doesn't include hyphens. For example, extension_11112222_bbbb_3333_cccc_4444dddd5555_loyaltyId.

The following data types are supported when defining an attribute in a schema extension: Boolean, DateTime, Integer, and String.

Extension attributes can be created and managed through Microsoft Graph, and are also called directory or Microsoft Entra extensions.

Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention extension_{appId-without-hyphens}_{extensionProperty-name}, where {appId-without-hyphens} is the stripped version of the appId for the b2c-extensions-app with only characters 0-9 and A-Z.

Here's a summary of the supported data types for extension attributes:

To create a custom attribute, you need to sign in to the Azure portal as an External ID User Flow Attribute Administrator of your Azure AD B2C tenant. You can then choose All services, search for and select Azure AD B2C, and select User attributes.

You can only create a custom attribute the first time it's used in any user flow, and not when you add it to the list of User attributes. This means you can't create a custom attribute in the portal experience before using it in your custom policies.

To use a custom attribute in your user flow, you need to select User flows, select your policy, and then select User attributes. You can then select the custom attribute and save the changes.

Here's a step-by-step guide to using a custom attribute in your user flow:

Once you've created a new user using the user flow, you can use the Run user flow feature to verify the customer experience. You should now see the custom attribute in the list of attributes collected during the sign-up journey, and it should be included in the token sent back to your application.

A unique perspective: Azure Ad User

You can use Microsoft Graph to create and manage custom attributes, also known as directory or Microsoft Entra extensions. This is useful for extending the schema of user objects in the directory.

Custom attributes in the Microsoft Graph API are named by using the convention extension_{appId-without-hyphens}_{extensionProperty-name}. For example, if the appId of the b2c-extensions-app application is 11112222-bbbb-3333-cccc-4444dddd5555 and the attribute name is loyaltyId, then the custom attribute is named extension_25883231668a43a780b25685c3f874bc_loyaltyId.

You can use the Microsoft Graph API to manage the custom attributes. This allows you to create, read, update, and delete custom attributes for user accounts.

To create a custom attribute, you can use the Microsoft Graph API to create a new attribute with a specific name and data type. The data types supported for custom attributes include Boolean, DateTime, Integer, and String.

Here are the data types supported for defining an attribute in a schema extension:

You can use the Microsoft Graph API to read the values of custom attributes for a specific user account. This allows you to retrieve the values of custom attributes for a user, such as their loyaltyId.

Discover more: Azure Ad Custom Properties

You can also use the Microsoft Graph API to update the values of custom attributes for a specific user account. This allows you to update the values of custom attributes for a user, such as updating their loyaltyId.

Finally, you can use the Microsoft Graph API to delete custom attributes for a specific user account. This allows you to remove custom attributes from a user account, such as removing their loyaltyId.

For more insights, see: Azure Active Directory Graph Api

Now that you've learned about attributes and claims in Azure AD, it's time to take the next steps.

To add more functionality to your application, learn how to add claims. This will allow you to customize user input and make your application more dynamic.

You can start by learning how to use custom policies, which will enable you to add custom attributes. Replace the built-in claim 'city' with your own custom attributes to get started.

Custom policies can be complex, but with practice, you'll be able to create a robust and efficient system.

You might enjoy: Azure Ad Application

Claim rules and SSO are crucial components of Azure AD, and understanding how they work together is essential for a seamless user experience. Claim rules allow you to customize the attributes and claims that are passed from Azure AD to your application during single sign-on (SSO) authentication.

To ensure SSO login success, claim rules must match the UPN passed from Azure AD with the UPN in Active Directory. If they don't match, a warning is shown, and login is not granted. To resolve this issue, you can change the default claim rule on the Enterprise App for MyWorkDrive in Azure AD to re-write the UPN to match the UPN in Active Directory.

Here's an example of a RegEx pattern used to re-write the UPN:

(?’domain’^.*?)(?i)(\@company\.com)$

This pattern extracts the upn prefix and writes in a custom domain. The replacement pattern specifies the variable {domain} and enters the domain name you are changing to.

You can test the re-write using the test tool in Azure AD, which validates that the regex correctly re-writes the login.

A fresh viewpoint: Group Naming Policy in Azure Active Directory

As a Microsoft Entra user, you can manage custom attributes, also known as directory or Microsoft Entra extensions, using the Microsoft Graph API. These attributes are named using the convention extension_{appId-without-hyphens}_{extensionProperty-name}, where {appId-without-hyphens} is the stripped version of the appId for the b2c-extensions-app with only characters 0-9 and A-Z.

You can associate a customer account with various identity types, including local identity and federated identity. Local identity stores the username and password locally in the Azure AD B2C directory, while federated identity is managed by a federated identity provider like Facebook or Microsoft.

A user can sign in with multiple identities, such as username, email, employee ID, or government ID, and a single account can have up to 10 objectIdentity objects. Each object contains properties like sign-in name, email address, and issuerAssignedId for federated identities.

To test your claims mapping policy, log in to the Flex Console Single Sign-on settings page and authenticate with the AD user account assigned the extension property. Check the TaskRouter worker attributes in the Twilio Console to ensure all expected attributes are included.

Related reading: Azure Ad Extension Attributes

Here are the identity types you can associate with a customer account:

Each federated identity provider has a unique issuerAssignedId for a given user per application or development account. Ensure to configure the Azure AD B2C policy with the same application ID assigned by the social provider or another application within the same development account.

Expand your knowledge: Unlock Azure Ad Account

The display name is a crucial attribute in Azure AD B2C that determines the name to display in the Azure portal user management for the user. It is also used in the access token that Azure AD B2C returns to the application.

In Azure AD B2C, the display name property is required, which means you must provide a value for it.

Here's an interesting read: Get Azure Ad User

For local identities, the passwordProfile attribute is required and contains the user's password. It's a crucial piece of information that helps Azure AD B2C authenticate users.

The forceChangePasswordNextSignIn attribute indicates whether a user must reset the password at the next sign-in. This is a useful setting for administrators to enforce password security.

To handle a forced password reset, you'll need to set up the forced password reset flow, as instructed.

You might enjoy: Password Reset Azure Ad

You can modify claim rules to re-write the UPN in AzureAD SSO. This is necessary when the UPN passed from AzureAD does not match the AD (on prem Active Directory) UPN.

The easiest way to re-write the UPN is to use a RegEx. Extract the upn prefix (the name portion before the @domain) and write in a custom domain. For example, if the users UPN on AD use domain “@corp.company.com” and their upn on AzureAD is domain “@company.com”, you can re-write the UPN to match their email.

To do this, login to Azure and edit the AzureAD (Entra) Enterprise App for your MyWorkDrive SSO. From the Single Sign On panel, click to edit box 2, Attributes & Claims. Click on the first entry, the Required Claim, and select Transformation “RegExReplace()”. For Attribute Name, select “user.userprincipalname” at the bottom of the list.

In the RegEx Pattern, specify the domain name you are changing from, ie, the domain in AzureAD. Retain the formatting and characters as shown in the example: (?’domain’^.*?)(?i)(\@company\.com)$.

Worth a look: New Name for Azure Ad

In the replacement pattern, specify the variable {domain} and enter the domain name you are changing to, ie, the domain in AD: {domain}@corp.company.com. You can then use the test tool to validate that the regex correctly re-writes your login.

Here are the steps to follow: