Skip to content

Commit bdcf7fb

Browse files
Gargi-SinhaGargi-Sinha
authored
Update claims-mapping.md
1 parent eb2fbc3 commit bdcf7fb

File tree

1 file changed

+12
-1
lines changed

1 file changed

+12
-1
lines changed

articles/active-directory/external-identities/claims-mapping.md

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: B2B
88
ms.topic: conceptual
9-
ms.date: 11/24/2022
9+
ms.date: 08/29/2023
1010

1111
ms.author: cmulligan
1212
author: csmulligan
@@ -32,6 +32,17 @@ There are two possible reasons why you might need to edit the claims that are is
3232

3333
For information about how to add and edit claims, see [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/saml-claims-customization.md).
3434

35+
## UPN claims behavior for B2B users
36+
37+
If you need to issue the UPN value as an application token claim, the actual claim mapping may behave differently for B2B users. If the B2B user authenticates with an external Azure AD identity and you issue user.userprincipalname as the source attribute, Azure AD instead issues the mail attribute.
38+
39+
For example, let’s say you invite an external user whose email is [email protected] and whose identity exists in an external Azure AD tenant. James’ UPN in the inviting tenant is created from the invited email and the inviting tenants original default domain. So let’s say James’ UPN becomes James_contoso.com#EXT#@fabrikam.onmicrosoft.com. For SAML application that issues user.userprincipalname as the NameID, the value passed for James is [email protected].
40+
41+
All [other external identity types](redemption-experience.md#invitation-redemption-flow) such as SAML/WS-Fed, Google, Email OTP issues the UPN value rather than the email value when you issue user.userprincipalname as a claim. If you want the actual UPN to be issued in the token claim for all B2B users, you can set user.localuserprincipalname as the source attribute instead.
42+
43+
[!NOTE]
44+
>The behavior mentioned in this section is same for both cloud-only B2B users and synced users who were [invited/converted to B2B collaboration](invite-internal-users.md).
45+
3546
## Next steps
3647

3748
- For information about B2B collaboration user properties, see [Properties of an Azure Active Directory B2B collaboration user](user-properties.md).

0 commit comments

Comments
 (0)