The core requirement is to map device attribute and send in SAML token along with all other user attributes.

Question

We need to send one of the computer attribute (device.divison) to the SAML claim along with other user attributes in one of the enterprise application in Entra ID. The device is Azure AD hybrid joined and available in the Entra ID (Devices). In the Enterprise application Attribute & Claim mapping, it only gives the option to map user attributes not a computer attribute. The application requirement is such that it should get the device division attribute value in the claim during the authentication process along with other claims in the SAML assertion. Please help how this can be achieved. Also suggest any alternative methods.

(Note:- device.divison attribute is default attribute of computer and it is not an ExtensionAttribute)

Thanks you in advance.

Answer 1

Hi @Bishnu Baliyase,

Thank you for reaching out to Microsoft Q&A.

I understand that you would like to populate, device attribute in SAML token along with all other user attributes.

Unfortunately, there is no SAML attribute that Azure is parsing to fetch device attribute. By default, the Microsoft identity platform issues a SAML token to an application that contains a claim with a value of the user's username (also known as the user's principal name), which can uniquely identify the user. The SAML token also contains other claims that include the user's email address, first name, and last name. SAML attribute claims include user attributes and directory extension attributes.

For more information: https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization

Hope this helps. Do let us know if you any further queries.

Thanks & Best Regards

Janaki Kota