Versions Compared

Version Old Version 1 New Version 2
Changes made by

Alex Xie

Alex Xie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Microsoft API

Permission type

Permissions

Microsoft Graph

Delegated permissions

  • openid

  • profile

  • Mail.Read (scroll down and expand the Mail section to select this permission)

  • User.Read (scroll down and expand the User section to select this permission)

Add the “onpremisessamaccountname” claim mapping

This step is only require when the on-premises AD user log in is used for enabling automatic user mapping for source systems, e.g. SAP with SNC. Please refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping and https://devblogs.microsoft.com/premier-developer/adding-user-optional-and-mapped-claims-in-the-azure-ad-authentication-token/ for more detail.

Description

Instruction

Modified the App Registration Manifest JSON

"acceptMappedClaims": true,

Execute the Command Shell command to create the policy

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"onpremisessamaccountname"}]}}') -DisplayName "ExtraClaimsSAMAccountName" -Type "ClaimsMappingPolicy"

Execute the Command Shell command to get the service principal for the registered OneList Application

Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq <the OneList App Id>

  • )

"

Execute the Command Shell command to assigne the policy to the service principal

Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

...