Enterprise Applications: Claims Mapping Policy

Using Microsoft Graph to create an Azure AD Claims Mapping Policy for assignment to a Service Principal.

PowerShell

<#
Step 1
Define your Claim Mapping Policy
Mapping onpremisessamaccountname to
  JWT: onpremisessamaccountname and SAML Claim: employeeId
#>
Connect-MgGraph 'Policy.ReadWrite.ApplicationConfiguration'
$params = @{
    Definition            = @(
        '{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":' + 
        '[{"Source":"user",' +
        '"ID":"onpremisessamaccountname",' +
        '"SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",' +
        '"JwtClaimType":"onpremisessamaccountname"}]}}'
    )
    DisplayName           = "CMP 01 - onpremisessamaccountname"
    IsOrganizationDefault = $false
}
New-MgPolicyClaimMappingPolicy -BodyParameter $params

<#
Step 2 
Apply your Claim Mapping Policy to your Service Principal
#>
Connect-MgGraph @('Policy.ReadWrite.ApplicationConfiguration', 'Application.ReadWrite.All')
# Get-MgPolicyClaimMappingPolicy | Format-List
$claimsMappingPolicyId = '<The ID of the policy made earlier>'
$servicePrincipalObjectId = '<The service principal object ID of your Application Registration>'
$odata = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/$claimsMappingPolicyId"
$body = @{
    "@odata.id" = $odata
}
$params = @{
    'Method' = 'POST';
    'Uri'    = "v1.0/servicePrincipals/$servicePrincipalObjectId/claimsMappingPolicies/`$ref";
    'Body'   = $body;
}
Invoke-MgGraphRequest @params
<#
Step 3
Edit the Application Manifest in the Azure Portal to allow mapped claims
"acceptMappedClaims": true
The target application will now receive the additional claim on user sign-in:
# {
#     "name": "john smith,
#     "oid": "...",
#     "preferred_username": "john.smith@sometenant.onmicrosoft.com",
#     "onpremisessamaccountname": "john.smith"
#   }
#>

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params