Skip to main content
Skip table of contents

Map extensionAttribute via Custom Claims Mapping policies

Some organisations make use of the extensionAttrbutes in Active Directory.

image-20240523-224639.png

In order to make use of these attributes in EzeScan WebApps there is some configuration that must be completed.

Sync the attributes to Azure AD

In Microsoft Azure Active Directory Connect select the “Customize synchronization options” option.

image-20240523-235252.png

In the Optional Features section ensure you have enabled “Directory extension attribute sync”.

image-20240524-000126.png

On the Directory Extensions screen select the attributes you wish to sync.

image-20240524-000336.png

Save this setting and then on the next sync interval the attributes should be synced to Azure AD.

Configure a Custom Claims Mapping policy

Install the AzureADPreview powershell module and then connect to Azure AD using a domain admin account.

Install-Module "AzureADPreview"

Import-Module "AzureADPreview"

Connect-AzureAD

Check the extensionAttribute is correctly being synced to Azure AD with the following command:

Get-AzureADUserExtension -ObjectId "user@domain.com"

image-20240523-024107.png

Modify the variables in the script below and then run it in powershell to create the custom claim mapping:

CODE 
$appID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
$policyName = "Add extensionAttribute1 to claims"
$policyDefinition = @('{  
     "ClaimsMappingPolicy": {  
         "Version": 1,  
         "IncludeBasicClaimSet": "true",  
         "ClaimsSchema": [  
             {  
                 "Source": "user",  
                 "ID": "extensionAttribute1",  
                 "JwtClaimType": "extensionAttribute1"  
             }
         ]  
     }  
 }') 
 
$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId | Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
    $existingPolicies | Remove-AzureADPolicy
}
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Write-Output ("New claims mapping policy '{0}' set for app '{1}'." -f $policy.DisplayName, $sp.DisplayName)

$appID should be set to the client id of your app registration in Azure AD

This script has built in logic to “update” a policy if you want to make changes by removing it and then recreating it

Next navigate to Azure AD and edit the app registration manifest:

Find the line that says "acceptMappedClaims": null, and change to "acceptMappedClaims": true,

image-20240523-231539.png

Finally save the Manifest and give it some time to deploy the changes to Azure AD.

Test the Claim Mapping Policy

Log into EzeScan WebApps using Azure AD.

In the top right corner click the users display name and select Settings.

image-20240523-234909.png

Click on the Claims tab and then look for the newly configured claim:

image-20240523-234804.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close