Skip to content

Commit 3c41dca

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #249730 from Gargi-Sinha/patch-194
Update claims-mapping.md
2 parents c24f9b9 + b02cb8b commit 3c41dca

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

articles/active-directory/external-identities/claims-mapping.md

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: B2B
88
ms.topic: conceptual
9-
ms.date: 11/24/2022
9+
ms.date: 08/30/2023
1010

1111
ms.author: cmulligan
1212
author: csmulligan
@@ -32,7 +32,16 @@ There are two possible reasons why you might need to edit the claims that are is
3232

3333
For information about how to add and edit claims, see [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/saml-claims-customization.md).
3434

35-
For B2B collaboration users, mapping NameID and UPN cross-tenant are prevented for security reasons.
35+
## UPN claims behavior for B2B users
36+
37+
If you need to issue the UPN value as an application token claim, the actual claim mapping may behave differently for B2B users. If the B2B user authenticates with an external Azure AD identity and you issue user.userprincipalname as the source attribute, Azure AD instead issues the mail attribute.
38+
39+
For example, let’s say you invite an external user whose email is `[email protected]` and whose identity exists in an external Azure AD tenant. James’ UPN in the inviting tenant is created from the invited email and the inviting tenant's original default domain. So, let’s say James’ UPN becomes `James_contoso.com#EXT#@fabrikam.onmicrosoft.com`. For the SAML application that issues user.userprincipalname as the NameID, the value passed for James is `[email protected]`.
40+
41+
All [other external identity types](redemption-experience.md#invitation-redemption-flow) such as SAML/WS-Fed, Google, Email OTP issues the UPN value rather than the email value when you issue user.userprincipalname as a claim. If you want the actual UPN to be issued in the token claim for all B2B users, you can set user.localuserprincipalname as the source attribute instead.
42+
43+
>[!NOTE]
44+
>The behavior mentioned in this section is same for both cloud-only B2B users and synced users who were [invited/converted to B2B collaboration](invite-internal-users.md).
3645
3746
## Next steps
3847

0 commit comments

Comments
 (0)