Adding a Custom Attribute in Azure

In this documentation, we will show how to add the sAMAccountName property to the token sent to Wikit for authentication. You can change the property to one that suits you.

📘 Technical Documentation – Adding sAMAccountName via OIDC Azure AD

1. Configuring the sAMAccountName Claim

A. Via the Azure portal (Enterprise or App registrations)

1. Log in to the Azure Portal → Azure AD.
2. Go to Enterprise Applications (or App registrations as appropriate) then select your application.
3. Go to Single sign-on → Attributes & Claims.
4. Click on Edit → Add new claim and configure:
   • Name: sAMAccountName (or other)
   • Source: user
   • Source attribute: onPremisesSamAccountName (or other)
5. Click on Save.

2. Enabling acceptMappedClaims and token version

1. Still in App registrations → select your application → Manifest tab.

2. Update this property:

   {
     "acceptMappedClaims": true
   }

   • acceptMappedClaims allows Azure AD to include mapped claims

3. Save the manifest.

3. (Optional) PowerShell Method – Claims Mapping Policy

For advanced management or multi-tenant cluster:

$policy = New-AzureADPolicy -Definition @('{
 "ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true",
  "ClaimsSchema":[
    {"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"samAccountName"}
  ]
 }
}') -DisplayName "CustomSAM" -Type "ClaimsMappingPolicy"

Add-AzureADServicePrincipalPolicy -Id <ServicePrincipal_ObjectID> -RefObjectId $policy.Id

This provides finer control over the sAMAccountName claim (Azure Documentation, Microsoft Learn).

4. Testing the configuration via jwt.ms

1. In App registrations → your application → Authentication tab.

2. Under Redirect URIs, add the URI:

   • https://jwt.ms
   • type Web, check ID tokens (Microsoft Learn, Microsoft Learn).

3. Save.

4. Request an ID token via browser with an OIDC URL:

   https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?
     client_id=<CLIENT_ID>&response_type=id_token&
     redirect_uri=https%3A%2F%2Fjwt.ms&
     scope=openid%20profile&response_mode=fragment&state=123&nonce=678

   ⚠️ replace TENANT_ID and CLIENT_ID with your information

5. After authentication, jwt.ms will display the decoded token. Verify the presence of "sAMAccountName": "<user>".

6. You can remove the redirection configuration to jwt.ms by returning to the menu:

   → App registrations → your application → Authentication tab.

6. Notes & Best Practices

• If you get the error AADSTS50146, ensure that acceptMappedClaims is set to true and accessTokenAcceptedVersion to 2 (Stack Overflow, Microsoft for Developers, community.cyberark.com).
• Prioritize adding via the portal for OIDC whenever possible. The PowerShell script remains useful for more complex scenarios.