Map extensionAttribute via Custom Claims Mapping policies
Some organisations make use of the extensionAttrbutes in Active Directory.
![image-20240523-224639.png](../../__attachments/389414926/image-20240523-224639.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)
In order to make use of these attributes in EzeScan WebApps there is some configuration that must be completed.
Sync the attributes to Azure AD
In Microsoft Azure Active Directory Connect select the “Customize synchronization options” option.
![image-20240523-235252.png](../../__attachments/389414926/image-20240523-235252.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)
In the Optional Features section ensure you have enabled “Directory extension attribute sync”.
![image-20240524-000126.png](../../__attachments/389414926/image-20240524-000126.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)
On the Directory Extensions screen select the attributes you wish to sync.
![image-20240524-000336.png](../../__attachments/389414926/image-20240524-000336.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)
Save this setting and then on the next sync interval the attributes should be synced to Azure AD.
Configure a Custom Claims Mapping policy
Install the AzureADPreview powershell module and then connect to Azure AD using a domain admin account.
Install-Module "AzureADPreview"
Import-Module "AzureADPreview"
Connect-AzureAD
Check the extensionAttribute is correctly being synced to Azure AD with the following command:
Get-AzureADUserExtension -ObjectId "user@domain.com"
![image-20240523-024107.png](../../__attachments/389414926/image-20240523-024107.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)
Modify the variables in the script below and then run it in powershell to create the custom claim mapping:
$appID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$policyName = "Add extensionAttribute1 to claims"
$policyDefinition = @('{
"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet": "true",
"ClaimsSchema": [
{
"Source": "user",
"ID": "extensionAttribute1",
"JwtClaimType": "extensionAttribute1"
}
]
}
}')
$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId | Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
$existingPolicies | Remove-AzureADPolicy
}
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Write-Output ("New claims mapping policy '{0}' set for app '{1}'." -f $policy.DisplayName, $sp.DisplayName)
$appID should be set to the client id of your app registration in Azure AD
This script has built in logic to “update” a policy if you want to make changes by removing it and then recreating it
Next navigate to Azure AD and edit the app registration manifest:
Find the line that says "acceptMappedClaims": null,
and change to "acceptMappedClaims": true,
![image-20240523-231539.png](../../__attachments/389414926/image-20240523-231539.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)
Finally save the Manifest and give it some time to deploy the changes to Azure AD.
Test the Claim Mapping Policy
Log into EzeScan WebApps using Azure AD.
In the top right corner click the users display name and select Settings.
![image-20240523-234909.png](../../__attachments/389414926/image-20240523-234909.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)
Click on the Claims tab and then look for the newly configured claim:
![image-20240523-234804.png](../../__attachments/389414926/image-20240523-234804.png?inst-v=07fa0a6f-b123-4c6b-81ef-d6cec6796582)