powershellazure-active-directoryazure-cli
Adding optional claims is not reflecting on Azure AD
I am trying to add optional claims for an app registered on Azure AD. I was following Documentation but the changes are not reflecting on the app's manifest. Still it is showing null or empty array like the below image.
I tried to follow this SO Question also but no luck.
$idTokenClaim = @()
$idTokenClaim += @([PSCustomObject] @{
name = "upn"
source = $null
essential = "true"
additionalProperties = @()
})
$optionalClaims = @{
idToken = $idTokenClaim
accessToken = @()
saml2Token = @()
} | ConvertTo-Json -Compress | ConvertTo-Json
az ad app update --id $($application.appId)--optional-claims '$optionalClaims'"
The JSON output for the $optionalClaims is :
Did I miss anything? Any help would be appreciated.
Solution
As mentioned in this article, in order to update OptionalClaim property, we need to use hash table information.
Below are the steps which needs to be followed:
- Create a test.json on your machine with similar content like below (you can copy it from the manifest file the below section)
{
"idToken": [
{
"additionalProperties": [],
"essential": false,
"name": "ctry",
"source": null
},
{
"additionalProperties": [],
"essential": false,
"name": "acct",
"source": null
},
{
"additionalProperties": [],
"essential": false,
"name": "given_name",
"source": null
}
],
"accessToken": [],
"saml2Token": [
{
"additionalProperties": [],
"essential": false,
"name": "upn",
"source": null
}
]
}
- Since we need to pass Hashtable to -optional claim property we need to convert the above JSON to Hash Table.
- In PowerShell 7 we can covert the above JSON Hash table by using below cmdlet
Get-Content <pathofAboveJsonFile> | ConvertFrom-Json -AsHashtable
- Use the cmdlet
update-AzADApplicationto update the optionalClaim for an application in AzureAD.
Update-AzADApplication -objectid <objectidoftheapplication> -optionalclaim $hastable