AD FS Help Azure AD RPT Claim Rules

Azure AD RPT Claim Rules

Designed for a single domain or multiple domains. Walk through our simple process to get the right claims for your federation trust between Azure AD and AD FS

  • In order for AD FS to work with Azure AD, your AD FS relying party trust needs to contain the set of claims that is tailored to your organization. If any of the information is wrong, it will affect user login. We know this can be difficult to create yourself, so we’ll help guide you through the process. Just make sure that the Azure AD relying party trust is already in place.

    We recommend using Azure AD Connect to manage your Azure AD trust. It will automatically update the claim rules for you based on your tenant information. However, if you are not using it to manage your trust, proceed below to generate the same set of claims as AAD Connect. Click here to learn more about Azure AD Connect with federation.

    If you only have one federated Azure AD domain (for example contoso.com) but plan on federating one or more additional domains (child1.contoso.com, child2.contoso.com or more), it is crucial that you update your claim rules prior to changing the Azure AD domain itself. If the claim rules are not updated prior to making the domain change, all users will be unable to sign-in.

    In order to generate the right set of claims for your organization, we will need to ask you a few questions about your AAD Connect configuration.

  • Select how users should be uniquely identified with Azure AD. The Immutable ID attribute is defined as an attribute that is immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD, and is the primary key linking on-premises users with users in Azure AD. Click here to learn more about Immutable ID attributes.

    Immutable ID
  • Select the attribute that users will use to sign into Azure AD. This will be what users type in for their username during login.

    By default, Azure AD Connect uses the userPrincipalName attribute. However, the administrator may have selected an Alternate ID such as email. Enter in the configuration used with AAD Connect.

    User Sign In
  • Does the Azure AD trust with AD FS support multiple domains?

    Select Yes if you have multiple federated domains or the Azure AD trust was created using the -SupportMultipleDomain switch.

  • Issuer Id Claim RegEx

    For federating multiple domain, this is the regex that can be used to set correct IssuerId claim. The regex was developed using the domain information you provided.

    Claim Rules

    In order to update the claims on your Azure AD trust, click the copy button and run the PowerShell script on the primary AD FS server to set the correct claims. The script will also make a backup of the current claim rules for safe keeping.

    Below are the individual claim rules required for your organization.