1

I use Azure AD to implement auth^2.

When I use a access token from a user I get a claim such as unique_name or upn which contains a user identifier I can use to log into the DB for logging/tracking/auditing.

If I use an App Registration as a service principal with the Client Credential flow, however, the access token does not contain any claim with the App Registration name. The closes thing is the azp which contain the UUID of the App Registration. It is, however, a bit hard to read and it would be nice to somehow get the name of the App Registration in the claims for logging/tracking/auditing purposes.

Are there any way to do this?

gedemagt
  • 657
  • 1
  • 9
  • 22

1 Answers1

0

I tried to reproduce the same in my environment and got the results like below:

I generated access token using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials

enter image description here

However, the access token does not contain any claim with the App Registration name.

Note that: By default, the access token will contain App Name and App ID.

When I decoded the access token, the App Name and App ID is present like below:

enter image description here

Hence there is no need to create custom claims for App Name and App ID.

It is not possible to add custom claims while using client credential flow.

I created a custom claim like below:

New-AzureADPolicy -Definition @('
{
    "ClaimsMappingPolicy":
    {
        "Version":1,"IncludeBasicClaimSet":"true", 
        "ClaimsSchema": [{"Source":"user","ID":"extensionattribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/appname","JwtClaimType":"appname"}]
    }
}') -DisplayName "appname" -Type "ClaimsMappingPolicy"


Add-AzureADServicePrincipalPolicy -Id d53b9689-3c0d-4c39-ae6d-efd733e10776 -RefObjectId fd49e655-b790-4368-b9d9-1cf09fda1ba2

Get-AzureADServicePrincipalPolicy -Id d53b9689-3c0d-4c39-ae6d-efd733e10776

enter image description here

I assigned the value to the claim like below:

PATCH https://graph.microsoft.com/v1.0/me
{
"onPremisesExtensionAttributes": 
    {
        "extensionAttribute1": "testclaim"
    }
}

enter image description here

Now when I generated access token using Authorization Code Flow I got the claim successfully like below:

enter image description here

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • Thanks for the very detailed answer. If I use the graph-api scope, I can get the same result as you - namely that both app_name and appid is included in the token. However, if I use a another scope, i.e. a scope from the backend app registration (api:///.default), it is not included. Do I need to add some delegated scope from the Graph API to make it be included? – gedemagt Mar 24 '23 at 12:34
  • Yeah for that you have use delegated scope and delegated flow too. – Rukmini Mar 24 '23 at 12:36
  • OKay - just for my understanding: Why? Doesn't it more or less correspond to including the name of the user, if the token was aquired in a user-context? The service-principal is not, as such, getting the token on behalf of anything - just itself. – gedemagt Mar 24 '23 at 13:06