Add organisation chart to Azure Active Directory token claims

Question

I need to include organisational chart information to the token claims when they are issued by Azure Active Directory.

Assuming that my company has this organisation:

For example, when i login as 'Roary Moody', i would like to receive in the token that 'Francis Jeffferson' is my CFO.

Are there any way to do this?

Answer 1

Usually, you can run below Microsoft Graph API call to get the details of user hierarchical to signed-in user in organization chart by expanding manager attribute:

GET https://graph.microsoft.com/v1.0/me?$expand=manager($select=id,displayName,jobTitle)

Response:

Alternatively, you can create claim mapping policy by running below sample PowerShell script to get the same value in custom claim of token:

#Install-Module Microsoft.Graph
Connect-MgGraph
$policyDefinition = @{
    definition = '{
        "ClaimsMappingPolicy": {
            "Version": 1,
            "IncludeBasicClaimSet": true,
            "ClaimsSchema": [
                {"Source": "user", "ID": "extensionattribute1", "SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/manager", "JwtClaimType": "manager"}
            ]
        }
    }'
    displayName = "AddManager"
}

$Policy = New-MgPolicyClaimMappingPolicy -BodyParameter $policyDefinition
Get-MgPolicyClaimMappingPolicy -ClaimsMappingPolicyId $Policy.Id | fl

Response:

Now, assign this policy to the service principal from which you are generating the token with these commands:

$servicePrincipalId = "spObjectId" 
$policyId = "policyId" 

$params = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/$policyId"
}

New-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId $servicePrincipalId | fl

Response:

Now, update manager claim value in user's properties by running these commands:

$userId = "userId"

$params = @{
    onPremisesExtensionAttributes = @{
        extensionAttribute1 = "ManagerName(jobTitle)"
    }
}
Update-MgUser -UserId $userId -BodyParameter $params

Response:

Make sure to enable below settings in app registration's Manifest:

Now, I exposed an API by adding custom scope in app registration like this:

In my case, I used Implicit flow to generate access token for which below options should be enabled:

When I ran below authorization URL in browser by signing in with updated user, I got token with manager claim successfully like this:

https://login.microsoftonline.com/tenantID/oauth2/v2.0/authorize?client_id=appID&response_type=token&redirect_uri=https://jwt.ms&scope=api://appID/custom.read&state=12345&nonce=12345

Reference: Fetching Organization Chart - API - Microsoft Q&A by CarlZhao-MSFT