Can you add an optional claim to Development environment AAD Token?

Question

We are wanting to add the device id into our aad token for our development environment as an optional claim. Is this possible?

Answer 1

The set of optional claims available by default for applications to use are listed here . There you can find ztdid which is the device identity used for windows auto-pilot as optional claim which is for v1 and v2 optional claim sets.

If that is not exactly you are looking for, then it may not be possible with OptionalClaims as that property is not in that list. In order to include non basic claims ,we need to make use of Claims mapping policy assignment . You have to create ClaimsMappingPolicy in your Azure AD and assign it to your application. For example to add the onpremiseaccountname field from an AAD user additionally to the basic claims set in the token you have to create a policy something like below

    $policytemplate = @"
    {
        "ClaimsMappingPolicy":  {"Version":  1, "IncludeBasicClaimSet":  true,"ClaimsSchema":  [{"Source":"user","ID":"onpremisesaccountname","JwtClaimType":  "onpremisesaccountname"  } ] }
    }
    "@
    
    New-AzureADPolicy  -Definition ($policytemplate)  -DisplayName ("Policy_sAMAccountName_" + ([System.Guid]::NewGuid().guid)) -Type "ClaimsMappingPolicy" -IsOrganizationDefault $false

And in app manifest make ”acceptMappedClaims” to be true .

Note :

1. deviceId is restricted only to JWT- tokem claim set
2. Do not set acceptMappedClaims property to true for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app.

References:

1. SO reference
2. azure-ad-access-token-jwt-with-claims-mapping-policy \securecloud blog