ISO Azure Feature Equivalent: Role trust policy for session tags in AWS

Question

I'm looking for an Azure equivalent of custom claim validation like AWS has in session tags?

{
    "Sid": "AllowPassSessionTagsAndTransitive",
    "Effect": "Allow",
    "Action": "sts:TagSession",
    "Principal": {"AWS": "arn:aws:iam::123456789012:user/test-session-tags"},
    "Condition": {
    "StringLike": {
        "aws:RequestTag/Project": "*",
        "aws:RequestTag/CostCenter": "*"
    },
    "StringEquals": {
        "aws:RequestTag/Department": [
            "Engineering",
            "Marketing"
        ]
    },
    "ForAllValues:StringEquals": {
        "sts:TransitiveTagKeys": [
            "Project",
            "Department"
         ]
      }
   }
}

Context: I have an OIDC token that contains custom claims

{
  "alg": "HS256",
  "kid": "12345",
  "typ": "JWT"
}.
{
  "aud": "AUDIENCE_NAME"
  "iss": "SOME_ISSUER",
  ...
  "customClaim1": "foo",
  "customClaim2": "bar",
}

I've worked through Azure's Workload Identity Federation and Conditional Access documentation but nothing seems to fit the feature of checking that customClaim1 == "foo" before providing an Azure access token.

I want to add a trust policy in Azure that does similar validation like AWS does with session tags. Which grants access to OIDC tokens if the custom claims / session tags match specific conditions. Google also has a similar feature.

Answer 1

Hello Amy Davies,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are in need of ISO Azure Feature Equivalent similar to the Role trust policy for session tags in AWS.

Unfortunately, Azure does not have a direct equivalent to AWS's session tags, but you can achieve similar functionality using Azure AD Conditional Access and custom claims in tokens.

1. Using Azure AD Custom Security Attributes to tag users and enforce policies based on these attributes by mapping AWS IAM concepts to similar ones in Azure: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/mapping-aws-iam-concepts-to-similar-ones-in-azure/ba-p/3612216
2. By using custom attributes for Attribute-Based Access Control (ABAC) with Microsoft Entra ID, Azure AD Conditional Access policies can be configured to enforce access based on custom claims in tokens. You can use Azure AD B2C to create custom policies that validate specific claims in the token before granting access. Read more here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview and https://aws.amazon.com/blogs/modernizing-with-aws/use-custom-attributes-for-attribute-based-access-control-abac-with-microsoft-entra-id-and-aws-iam-identity-center

If you will need to configure a custom policy in Azure AD B2C to validate a custom claim, this is an example of what you can do with your XML:

<ClaimsTransformation Id="AssertCustomClaimEqualsFoo" TransformationMethod="AssertStringClaimIsEqualToValue">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="customClaim1" TransformationClaimType="inputClaim" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="valueToCompareTo" DataType="string" Value="foo" />
  </InputParameters>
</ClaimsTransformation>

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.