Enhancing Azure AD JWT Tokens with On-premises sAMAccountName Claims
The Problem: You need to include the on-premises sAMAccountName in the JWT token generated by Azure Active Directory (Azure AD). This is crucial for applications that rely on this attribute for authentication or authorization, especially when integrating with on-premises systems.
Rephrasing the Problem: Imagine you have a user directory in your company that uses the sAMAccountName to identify users. You want to use this same identifier when your users access applications in Azure AD. How do you get this information into the JWT token Azure AD generates?
Scenario and Original Code:
Let's assume you're using Azure AD Connect to synchronize users from an on-premises Active Directory to Azure AD. The sAMAccountName attribute is synchronized but not automatically included in the JWT token.
Here's a simplified example of a JWT token generated by Azure AD:
{
"iss": "https://sts.windows.net/<tenantID>",
"sub": "some_user_id",
"aud": "some_application_id",
"exp": 1678819200,
"iat": 1678815600,
"nbf": 1678815600,
"name": "John Doe",
"preferred_username": "john.doe",
"email": "[email protected]",
"oid": "some_object_id",
"tid": "some_tenant_id"
}
Analysis and Insights:
To add the sAMAccountName claim to the JWT token, you need to configure Azure AD Connect to include this attribute in the user object's schema during synchronization. This involves modifying the schema extension attribute and mapping it to the sAMAccountName attribute in Active Directory.
Steps to Add the sAMAccountName Claim:
-
Identify the Schema Extension Attribute: Find the existing schema extension attribute that is used to synchronize the
sAMAccountNamefrom Active Directory to Azure AD. This attribute is typically namedextensionAttribute1toextensionAttribute15. -
Configure Azure AD Connect: In the Azure AD Connect synchronization service, modify the mapping between the
sAMAccountNameattribute in Active Directory and the schema extension attribute. This ensures thesAMAccountNamevalue is populated in the extension attribute during synchronization. -
Modify Azure AD Application Manifest: In the manifest of the Azure AD application that generates the JWT token, you need to include the
sAMAccountNameclaim. You can do this by adding a newoptionalClaimelement within the "accessTokenAcceptedVersion" section.
Here's an example of the modification:
"accessTokenAcceptedVersion": 2,
"optionalClaims": [
{
"name": "sAMAccountName",
"source": "user",
"essential": false
}
]
Example:
Let's say the schema extension attribute for sAMAccountName is extensionAttribute1. You would modify the synchronization rule in Azure AD Connect to map sAMAccountName to extensionAttribute1. Then, you would include the sAMAccountName claim in the application manifest with source set to user and essential set to false.
Benefits:
Adding the sAMAccountName claim to the JWT token can provide significant advantages:
- Simplified Integration: Applications relying on the
sAMAccountNamefor authentication or authorization can seamlessly access user information from Azure AD without requiring additional lookups. - Enhanced Security: It reduces the need for storing and managing sensitive user information within applications, improving security by centralizing user data in Azure AD.
- Improved Compatibility: It facilitates seamless integration with existing systems that rely on the
sAMAccountNamefor user identification.
Additional Value:
To ensure a smooth transition, it's essential to thoroughly test the changes after configuring Azure AD Connect and modifying the application manifest. Additionally, consider the impact on your existing applications and users.
Resources:
Conclusion:
By including the sAMAccountName claim in the JWT token, you can streamline integration with on-premises systems, enhance security, and improve application compatibility. This simple yet effective approach ensures a smoother transition when integrating with Azure AD.
