You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/active-directory-optional-claims.md
+9-8Lines changed: 9 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.service: active-directory
9
9
ms.subservice: develop
10
10
ms.topic: conceptual
11
11
ms.workload: identity
12
-
ms.date: 12/08/2019
12
+
ms.date: 3/11/2020
13
13
ms.author: ryanwi
14
14
ms.reviewer: paulgarn, hirsin, keyam
15
15
ms.custom: aaddev
@@ -81,10 +81,10 @@ These claims are always included in v1.0 Azure AD tokens, but not included in v2
81
81
|`pwd_exp`| Password Expiration Time | The datetime at which the password expires. ||
82
82
|`pwd_url`| Change Password URL | A URL that the user can visit to change their password. ||
83
83
|`in_corp`| Inside Corporate Network | Signals if the client is logging in from the corporate network. If they're not, the claim isn't included. | Based off of the [trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips) settings in MFA. |
84
-
|`nickname`| Nickname | An additional name for the user. The nickname is separate from first or last name. |
85
-
|`family_name`| Last Name | Provides the last name, surname, or family name of the user as defined in the user object. <br>"family_name":"Miller" | Supported in MSA and Azure AD |
86
-
|`given_name`| First name | Provides the first or "given" name of the user, as set on the user object.<br>"given_name": "Frank" | Supported in MSA and Azure AD |
87
-
|`upn`| User Principal Name | An identifer for the user that can be used with the username_hint parameter. Not a durable identifier for the user and should not be used to key data. | See [additional properties](#additional-properties-of-optional-claims) below for configuration of the claim. |
84
+
|`nickname`| Nickname | An additional name for the user. The nickname is separate from first or last name. Requires the `profile` scope.|
85
+
|`family_name`| Last Name | Provides the last name, surname, or family name of the user as defined in the user object. <br>"family_name":"Miller" | Supported in MSA and Azure AD. Requires the `profile` scope.|
86
+
|`given_name`| First name | Provides the first or "given" name of the user, as set on the user object.<br>"given_name": "Frank" | Supported in MSA and Azure AD . Requires the `profile` scope.|
87
+
|`upn`| User Principal Name | An identifer for the user that can be used with the username_hint parameter. Not a durable identifier for the user and should not be used to key data. | See [additional properties](#additional-properties-of-optional-claims) below for configuration of the claim. Requires the `profile` scope.|
88
88
89
89
### Additional properties of optional claims
90
90
@@ -113,13 +113,14 @@ Some optional claims can be configured to change the way the claim is returned.
113
113
}
114
114
```
115
115
116
-
This OptionalClaims object causes the ID token returned to the client to include another upn with the additional home tenant and resource tenant information. The `upn` claim is only changed in the token if the user is a guest in the tenant (that uses a different IDP for authentication).
116
+
This OptionalClaims object causes the ID token returned to the client to include a upn claim with the additional home tenant and resource tenant information. The `upn` claim is only changed in the token if the user is a guest in the tenant (that uses a different IDP for authentication).
117
117
118
118
## Configuring optional claims
119
119
120
120
> [!IMPORTANT]
121
121
> Access tokens are **always** generated using the manifest of the resource, not the client. So in the request `...scope=https://graph.microsoft.com/user.read...` the resource is the Microsoft Graph API. Thus, the access token is created using the Microsoft Graph API manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for the Microsoft Graph API to look different. In order to validate that your `accessToken` changes are in effect, request a token for your application, not another app.
122
122
123
+
123
124
You can configure optional claims for your application through the UI or application manifest.
124
125
125
126
1. Go to the [Azure portal](https://portal.azure.com). Search for and select **Azure Active Directory**.
@@ -203,7 +204,7 @@ If supported by a specific claim, you can also modify the behavior of the Option
203
204
|`additionalProperties`| Collection (Edm.String) | Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. |
In addition to the standard optional claims set, you can also configure tokens to include extensions. This feature is useful for attaching additional user information that your app can use – for example, an additional identifier or important configuration option that the user has set. See the bottom of this page for an example.
207
+
In addition to the standard optional claims set, you can also configure tokens to include extensions. For more info, see [the Microsoft Graph extensionProperty documentation](https://docs.microsoft.com/graph/api/resources/extensionproperty?view=graph-rest-1.0) - note that schema and open extensions are not supported by optional claims, only the AAD-Graph style directory extensions. This feature is useful for attaching additional user information that your app can use – for example, an additional identifier or important configuration option that the user has set. See the bottom of this page for an example.
207
208
208
209
> [!NOTE]
209
210
> - Directory schema extensions are an Azure AD-only feature, so if your application manifest requests a custom extension and an MSA user logs into your app, these extensions will not be returned.
@@ -265,7 +266,7 @@ This section covers the configuration options under optional claims for changing
265
266
If you want to groups in the token to contain the on premises AD group attributes in the optional claims section specify which token type optional claim should be applied to, the name of optional claim requested and any additional properties desired. Multiple token types can be listed:
0 commit comments