Skip to main content
Skip table of contents

Map extensionAttribute via Custom Claims Mapping policies

Some organisations make use of the extensionAttrbutes in Active Directory.


In order to make use of these attributes in EzeScan WebApps there is some configuration that must be completed.

Sync the attributes to Azure AD

In Microsoft Azure Active Directory Connect select the “Customize synchronization options” option.


In the Optional Features section ensure you have enabled “Directory extension attribute sync”.


On the Directory Extensions screen select the attributes you wish to sync.


Save this setting and then on the next sync interval the attributes should be synced to Azure AD.

Configure a Custom Claims Mapping policy

Install the AzureADPreview powershell module and then connect to Azure AD using a domain admin account.

Install-Module "AzureADPreview"

Import-Module "AzureADPreview"


Check the extensionAttribute is correctly being synced to Azure AD with the following command:

Get-AzureADUserExtension -ObjectId ""


Modify the variables in the script below and then run it in powershell to create the custom claim mapping:

$appID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
$policyName = "Add extensionAttribute1 to claims"
$policyDefinition = @('{  
     "ClaimsMappingPolicy": {  
         "Version": 1,  
         "IncludeBasicClaimSet": "true",  
         "ClaimsSchema": [  
                 "Source": "user",  
                 "ID": "extensionAttribute1",  
                 "JwtClaimType": "extensionAttribute1"  
$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId | Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
    $existingPolicies | Remove-AzureADPolicy
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Write-Output ("New claims mapping policy '{0}' set for app '{1}'." -f $policy.DisplayName, $sp.DisplayName)

$appID should be set to the client id of your app registration in Azure AD

This script has built in logic to “update” a policy if you want to make changes by removing it and then recreating it

Next navigate to Azure AD and edit the app registration manifest:

Find the line that says "acceptMappedClaims": null, and change to "acceptMappedClaims": true,


Finally save the Manifest and give it some time to deploy the changes to Azure AD.

Test the Claim Mapping Policy

Log into EzeScan WebApps using Azure AD.

In the top right corner click the users display name and select Settings.


Click on the Claims tab and then look for the newly configured claim:


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.