无法获得Azure AD OpenID身份验证Exchange邮件域作为声明 [英] Unable to get Azure AD OpenID Authentication Exchange mail feild as a claim

问题描述

无法获得Azure AD OpenID身份验证Exchange邮件的所有权

我们的电子邮件不同于UPN.

为了检查并确保我具有mail属性，我通过PowerShell连接到Azure AD并运行以下命令.

    Get-AzureADUser -objectid upn@domain.com |选择对象邮件

   邮件              
    ----                
    useremail@domain.com

因此，在Azure AD中，我创建了一个新的应用程序注册.在应用清单中，启用" acceptMappedClaims":true..

然后在Visual Studio中创建一个* ASP.NET Web应用程序*并选择*工作或学校帐户*进行身份验证，指向我的云域，并在创建后，更新`ClientId'以指向应用程序注册，等等.

然后我添加一个映射策略:

  New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1，"IncludeBasicClaimSet":"true" " ClaimsSchema":[{"Source":"user"，"ID":"mail"，"JwtClaimType":"email"}}}'') -DisplayName"CustomClaims" -类型"ClaimsMappingPolicy"

然后，我将策略添加到应用中:

  Add-AzureADServicePrincipalPolicy -Id [企业应用程序对象ID] -RefObjectId [策略ID]

在"Startup.Auth.cs"中，我添加了作用域"列表以包含电子邮件"

app.UseOpenIdConnectAuthentication(
       新的OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId，
           权限=权限，
            PostLogoutRedirectUri = postLogoutRedirectUri，
           范围="openid个人资料电子邮件角色"
        });

似乎没有任何作用.我肯定在这里缺少一些配置步骤...

Unable to get Azure AD OpenID Authentication Exchange mail feild as a claim

Our emails are different than UPNs.

To check and make sure I have the mail property, I connect via PowerShell to Azure AD and run the following command.

    Get-AzureADUser -objectid upn@domain.com | Select-Object Mail

    Mail                
    ----                
    useremail@domain.com

So, in Azure AD I create a new Application Registration. In the app manifest, I enable `"acceptMappedClaims": true,`.

 Then in Visual Studio I create an *ASP.NET Web Application* and select *Work or School Accounts* for authentication, point to my cloud domain and after it's created, update `ClientId` to point to the application registration, etc.

 I then add a mapping policy:

  New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mail","JwtClaimType":"email"}]}}') -DisplayName "CustomClaims" -Type "ClaimsMappingPolicy"

 I then add the policy to the app:

  Add-AzureADServicePrincipalPolicy -Id [Enterprise Application Object Id] -RefObjectId [policy id]

 In `Startup.Auth.cs` I add `Scope` list to include `email`

app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            PostLogoutRedirectUri = postLogoutRedirectUri,
            Scope = "openid profile email roles"
        });

Nothing seems to work. I am definitely missing some configuration step here...

推荐答案

可选 Azure AD中的声明

It can be provided on the V1 endpoint ID Token (or in V2 endpoint access tokens) via the optional claim. Check out this article -Optional claims in Azure AD

这篇关于无法获得Azure AD OpenID身份验证Exchange邮件域作为声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！