How to Enrich User Claims Using Microsoft® Graph

To support advanced scenarios where claims are not directly provided by the Microsoft Azure AD access token (JWT) (like onPremisesSamAccountName) SmartHub supports configuring a claims provider stage that queries Microsoft Graph for a configurable list of user-level properties that are needed for scripting or else used with the Advanced Security module.

How to Configure the Claims Provider Stage

Microsoft Azure Configuration

To configure the claims provider stage follow the steps below:

1. Ensure that you have an Azure App Registration with the following API permissions to the graph:
   
   
   
   
2. Get the directory ID and client ID from the app registration Overview page:
   
   
   
   
3. Open the Certificates & secrets page.
   
   
4. Create a client secret for the App registration and record the value.
   
   
   
   

SmartHub Pipeline Stage Configuration

1. Navigate to the SmartHub Administration page in SmartHub.
   1. Your address will resemble http://<SmartHubFQDN>:8080/_admin.
      
      
2. Add and configure a Graph Claims Provider stage and provide the directory ID, client ID, and client secret from the previous steps along with the list of user properties to be fetched from Microsoft Graph:
   
   
   
   
3. After this stage is configured you can reference any of the user properties either in settings like the Advanced Security Module upnPropertyName or in scripts like the one below:

//Assemblies:
BAInsight.Longitude.Federator.Runtime.dll
 
//Code:
var userContext = BAInsight.Longitude.Federator.Runtime.Security.SecurityUtil.Load();
var prop = user.GetProperty("newGraphClaim", "fallbackvalue");