The configuration was overwritten by a claim mapping policy created via Graph/PowerShell

AzureAD claims mapping portal error

I got this warning while playing with the Claims Customization via PowerShell preview feature. And had an opportunity to help on some instances to the Administrators to locate and remove the claims mapping policy from the application so they can continue managing their claims via portal.

Hope the steps and tips in this post are going to help you to get familiar with this feature and address this error faster.

The mentioned official document is brought up to you if you click on “Learn more” option in the warning on the screenshot.

Please note this feature is in Preview and not recommended to be implemented in the production environments.

Per documentation:

This feature is used by tenant admins to customize the claims emitted in tokens for a specific application in their tenant. You can use claims-mapping policies to:

  • Select which claims are included in tokens.
  • Create claim types that do not already exist.
  • Choose or change the source of data emitted in specific claims.”

To set it up I have followed PowerShell examples mentioned in the Claims mapping policy assignment section.

Preparation

Make sure you are running the latest Azure AD Preview version on your computer and load the module. Otherwise you might experience some errors.

Not being able to locate “Get-AzureADPolicy” cmdlet – error “The term ‘Get-AzureADPolicy’ is not recognized as the name of a cmdlet, function, script file, or operable program”.AzureAD PowerShell error1Addressed it by running –

Import-Module AzureADPreview

Other reason for the mentioned above error can be the presence of older AzureAD and AzureADPreview modules. You can use UnInstall-Module command to remove older versions.

While still running old Azure AD preview version connected to Azure AD, tried running

Get-AzureADPolicy

command and was receiving

“Error occurred while executing GetPolicies
Code: Request_InvalidRequestURL
Message: Request url was invalid. The request should be like /tenantdomainname/Entity or /$metadata. Tenant domain name can be any of the verified, unverified domain names or context id”AzureAD PowerShell error2Resolved it by updating to latest Azure AD Powershell

Install-Module -name AzureADPreview

and restarting the PowerShell ISE. At the time of wring the latest version of Azure AD PowerShell preview was 2.0.2.105AzureAD updated PowerShell module

Policy setup

Created a policy that removes the basic claim set from tokens issued to linked service principals:

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"false"}}') -DisplayName "OmitBasicClaims" -Type "ClaimsMappingPolicy"

AzureAD Claims Mapping PolicySaved the Policy ID for the next steps.

Obtained the Object ID for my test application service principal:

Get-AzureADServicePrincipal -Filter "DisplayName eq 'Test SAML Claims Mapping'"

AzureAD Claims Mapping SPNAfter that assigned the claims mapping policy to service principle of the test application:

Add-AzureADServicePrincipalPolicy -Id 2a1f6e41-75fa-4145-8bba-c1975cd83eb9 -RefObjectId 35e06f92-a61d-4c31-8456-1f500930e0c5

Policy removal

The difficulties that some administrators might face is that the assigned policy cant be seeing either you use this:

Get-AzureADServicePrincipal -Filter "DisplayName eq 'Test SAML Claims Mapping'" | fl *

or this Azure AD PowerShell commands:

Get-AzureADPolicy -id 35e06f92-a61d-4c31-8456-1f500930e0c5 | fl *

The correct command for that is

Get-AzureADServicePrincipalPolicy

AzureAD SPN policyIn case you need to remove the policy use:

Remove-AzureADServicePrincipalPolicy -Id 2a1f6e41-75fa-4145-8bba-c1975cd83eb9 -PolicyId 35e06f92-a61d-4c31-8456-1f500930e0c5

After that no warnings on the Azure AD Enterprise application sign in User Attributes and Claims menu.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s