Pass Custom Azure AD Attributes as Twilio Flex SAML Claims
Azure AD extension properties can only be used as Enterprise Application SAML claims through a Claims Mapping Policy created using the Graph API or Powershell. The Azure AD portal interface does not support adding extension properties as claims. This guide uses the Graph API to walk you through the process of creating an Azure AD extension property, a claims mapping policy, and passing the property as a custom attribute for your Flex users.
Open Microsoft Graph Explorer
- Open and login to your Azure portal.
- In a separate tab, open the Microsoft Graph API Explorer, click “Sign in to Graph Explorer”, and select your Azure administrator account to use for Graph Explorer.
- Make sure to consent to the following permissions requirements:
Gather Supporting IDs
We will need to retrieve a couple IDs for use in the next steps: your Service principal entity ID and your Application entity ID. Click on the respective tab for detailed instructions.
Run the following Graph Explorer query to retrieve your Service Principal Entity ID. Make sure to:
- Replace with a portion of your Enterprise app name on the URL field. For example, if your app name is “Twilio Flex”, you can enter “displayname:flex” as the “$search” query parameter value.
- Click on the Request headers tab to add the key-value pair.
Example Request
HTTP method: GET
API version: v1.0
Endpoint URL: https://graph.microsoft.com/v1.0/servicePrincipals?$search="displayName:<Your_App_Name>"
Request header key: ConsistencyLevel
Request header value: eventual- Click Run query and in the JSON response, look for the array object whose "appDisplayName" value matches your Enterprise Application name.
- Copy the "id" value and paste it somewhere you can reference it.
Example Response
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals",
"value": [
{
"id": "cdxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"deletedDateTime": null,
"accountEnabled": true,
"alternativeNames": [],
"appDisplayName": "Twilio Flex testing",
"appDescription": null,
"appId": "xxx",
"applicationTemplateId": "xxx",
"appOwnerOrganizationId": "xxx",
"appRoleAssignmentRequired": true,
"createdDateTime": "2021-11-24T18:17:10Z",
"description": null,
"disabledByMicrosoftStatus": null,
"displayName": "Twilio Flex testing",
"homepage": "https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=customappsso|ISV9.1|primary|z",
"loginUrl": null,
"logoutUrl": null,
"notes": null,
"notificationEmailAddresses": [
"user@userdomain.onmicrosoft.com"
],
"preferredSingleSignOnMode": "saml",
"preferredTokenSigningKeyThumbprint": "xxxx",
"replyUrls": [
"https://iam.twilio.com/v1/Accounts/ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/saml2/"
],
"servicePrincipalNames": [
"https://iam.twilio.com/v1/Accounts/ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/saml2/metadata",
"xxx"
],
"servicePrincipalType": "Application",
"signInAudience": "AzureADMyOrg",
"tags": [
"WindowsAzureActiveDirectoryCustomSingleSignOnApplication",
"WindowsAzureActiveDirectoryIntegratedApp"
],
"tokenEncryptionKeyId": null,
"resourceSpecificApplicationPermissions": [],
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
},
"addIns": [],
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "admin",
"displayName": "Admin",
"id": "yyy",
"isEnabled": true,
"origin": "Application",
"value": "admin"
},
{
"allowedMemberTypes": [
"User"
],
"description": "supervisor",
"displayName": "Supervisor",
"id": "zzz",
"isEnabled": true,
"origin": "Application",
"value": "supervisor"
},
{
"allowedMemberTypes": [
"User"
],
"description": "agent",
"displayName": "Agent",
"id": "aaa",
"isEnabled": true,
"origin": "Application",
"value": "agent"
},
{
"allowedMemberTypes": [
"User"
],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "bbb",
"isEnabled": true,
"origin": "Application",
"value": null
}
],
"info": {
"logoUrl": null,
"marketingUrl": null,
"privacyStatementUrl": null,
"supportUrl": null,
"termsOfServiceUrl": null
},
"keyCredentials": [
{
"customKeyIdentifier": "xxx",
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"endDateTime": "2024-11-24T18:24:49Z",
"key": null,
"keyId": "xxx",
"startDateTime": "2021-11-24T18:24:49Z",
"type": "AsymmetricX509Cert",
"usage": "Verify"
},
{
"customKeyIdentifier": "xxx",
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"endDateTime": "2024-11-24T18:24:49Z",
"key": null,
"keyId": "xxx",
"startDateTime": "2021-11-24T18:24:49Z",
"type": "AsymmetricX509Cert",
"usage": "Sign"
}
],
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allow the application to access Twilio Flex testing on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Twilio Flex testing",
"id": "xxx",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Twilio Flex testing on your behalf.",
"userConsentDisplayName": "Access Twilio Flex testing",
"value": "user_impersonation"
}
],
"passwordCredentials": [
{
"customKeyIdentifier": "xxx",
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"endDateTime": "2024-11-24T18:24:49Z",
"hint": null,
"keyId": "xxx",
"secretText": null,
"startDateTime": "2021-11-24T18:24:49Z"
}
],
"samlSingleSignOnSettings": {
"relayState": ""
}
}
]
}Run the following Graph Explorer query to retrieve your Application Entity ID. Make sure to:
- In the URL field, replace
<Your_App_Name>with a portion of your Enterprise app name on the URL field. For example, if your app name is “Twilio Flex”, you can enter “displayname:flex” as the “$search” query parameter value. - Click on the Request headers tab to add the key-value pair.
Example Request
HTTP method: GET
API version: v1.0
Endpoint URL: https://graph.microsoft.com/v1.0/applications
- Click Run query and in the JSON response, look for the array object whose "displayName" value matches your Enterprise Application name.
- Copy the "id" value and paste it somewhere you can reference it.
Example Response
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications",
"value": [
{
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"deletedDateTime": null,
"appId": "xxx",
"applicationTemplateId": "xxx",
"disabledByMicrosoftStatus": null,
"createdDateTime": "2021-10-28T15:46:08Z",
"displayName": "Flex 2",
"description": null,
"groupMembershipClaims": null,
"identifierUris": [],
"isDeviceOnlyAuthSupported": null,
"isFallbackPublicClient": false,
"notes": null,
"publisherDomain": "usertwilio.onmicrosoft.com",
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null,
"defaultRedirectUri": null,
"certification": null,
"optionalClaims": null,
"addIns": [],
"api": {
"acceptMappedClaims": null,
"knownClientApplications": [],
"requestedAccessTokenVersion": null,
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allow the application to access Flex 2 on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Flex 2",
"id": "xxx",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Flex 2 on your behalf.",
"userConsentDisplayName": "Access Flex 2",
"value": "user_impersonation"
}
],
"preAuthorizedApplications": []
},
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "User",
"displayName": "User",
"id": "18d14569-c3bd-439b-9a66-3a2aee01d14f",
"isEnabled": true,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": [
"User"
],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "xxx",
"isEnabled": true,
"origin": "Application",
"value": null
}
],
"info": {
"logoUrl": null,
"marketingUrl": null,
"privacyStatementUrl": null,
"supportUrl": null,
"termsOfServiceUrl": null
},
"keyCredentials": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"publicClient": {
"redirectUris": []
},
"requiredResourceAccess": [],
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
},
"web": {
"homePageUrl": "https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=customappsso|ISV9.1|primary|z",
"logoutUrl": null,
"redirectUris": [],
"implicitGrantSettings": {
"enableAccessTokenIssuance": false,
"enableIdTokenIssuance": true
}
},
"spa": {
"redirectUris": []
}
},
{
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"deletedDateTime": null,
"appId": "xxx",
"applicationTemplateId": "xxx",
"disabledByMicrosoftStatus": null,
"createdDateTime": "2021-11-24T18:17:09Z",
"displayName": "Twilio Flex",
"description": null,
"groupMembershipClaims": null,
"identifierUris": [
"https://iam.twilio.com/v1/Accounts/ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/saml2/metadata"
],
"isDeviceOnlyAuthSupported": null,
"isFallbackPublicClient": false,
"notes": null,
"publisherDomain": "mbermudeztwilio.onmicrosoft.com",
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null,
"defaultRedirectUri": null,
"certification": null,
"optionalClaims": null,
"addIns": [],
"api": {
"acceptMappedClaims": null,
"knownClientApplications": [],
"requestedAccessTokenVersion": null,
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allow the application to access Twilio Flex on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Twilio Flex",
"id": "xxx",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Twilio Flex on your behalf.",
"userConsentDisplayName": "Access Twilio Flex",
"value": "user_impersonation"
}
],
"preAuthorizedApplications": []
}
...
}
]
}Create Azure AD Extension Property
In this section, we're going to create an extended (custom) property for the Enterprise Application that we can then populate for our target Flex users.
Run the following Graph Explorer query. Make sure to:
- In the URL field, replace
<Application_Entity_ID>with the application entity ID you noted earlier. - Click on the Request body tab to add the JSON in the Request body field. Replace
<Property_Name>with the name you want to use for the extension.
Example Request
HTTP method: POST
API version: v1.0
Endpoint URL: https://graph.microsoft.com/v1.0/applications/<Application_Entity_ID>/extensionProperties
Request body:
{
"name": "<Property_Name>",
"dataType": "String",
"targetObjects": ["User"]
}
Click Run query and in the JSON response, copy and paste the “name” value of the new extension property for reference in later steps. It will be in the format “extension_<App_ID>_<Property_Name>”.
Example Response
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications('xxx')/extensionProperties/$entity",
"id": "xxx",
"deletedDateTime": null,
"appDisplayName": "Twilio Flex testing",
"dataType": "String",
"isSyncedFromOnPremises": false,
"name": "extension_xxx_language",
"targetObjects": [
"User"
]
}Populate Extension Property on Azure AD User
Now that we have an extension property created, let’s add it to a user.
Run the following Graph Explorer query. Make sure to:
- In the URL field, you can pass either the user ID or the user principal name (UPN). Replace
<ID | UserPrincipalName>with either the object ID or the UPN of the Azure AD user you want to update. - Click on the Request body tab to add the JSON in the Request body field.
- Replace
<extension_<App_ID>_<Property_Name>with the name of the extension property created in the previous step. - Replace "My Custom Value" with the value you want to assign to this property.
- Replace
Example Request
HTTP method: PATCH
API version: v1.0
Endpoint URL: https://graph.microsoft.com/v1.0/users/<ID | UserPrincipalName>
Request body:
{
"extension_<App_ID>_<Property_Name>": "My Custom Value"
}
Click Run query.
Example Response
204 {}To confirm the user was updated successfully, run the following query.
Example Request
HTTP method: GET
API version: beta
Endpoint URL: https://graph.microsoft.com/beta/users/<ID | UserPrincipalName>
In the JSON response, you should see the new extension property and assigned value in the user’s properties.
Example Response
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#users/$entity",
"id": "xxxx",
"deletedDateTime": null,
"accountEnabled": true,
"ageGroup": null,
"businessPhones": [],
"city": null,
"createdDateTime": "2021-11-19T06:55:28Z",
"creationType": null,
"companyName": null,
"consentProvidedForMinor": null,
"country": null,
"department": null,
"displayName": "Test User",
"employeeId": null,
"employeeHireDate": null,
"employeeType": null,
"faxNumber": null,
"givenName": "Test",
"imAddresses": [],
"infoCatalogs": [],
"isManagementRestricted": null,
"isResourceAccount": null,
"jobTitle": null,
"legalAgeGroupClassification": null,
"mail": null,
"mailNickname": "testuser",
"mobilePhone": null,
"onPremisesDistinguishedName": null,
"officeLocation": null,
"onPremisesDomainName": null,
"onPremisesImmutableId": null,
"onPremisesLastSyncDateTime": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSamAccountName": null,
"onPremisesSyncEnabled": null,
"onPremisesUserPrincipalName": null,
"otherMails": [],
"passwordPolicies": null,
"postalCode": null,
"preferredDataLocation": null,
"preferredLanguage": null,
"proxyAddresses": [],
"refreshTokensValidFromDateTime": "2021-11-24T19:10:02Z",
"showInAddressList": null,
"signInSessionsValidFromDateTime": "2021-11-24T19:10:02Z",
"state": null,
"streetAddress": null,
"surname": "User",
"usageLocation": null,
"userPrincipalName": "testuser@admintwilio.onmicrosoft.com",
"externalUserState": null,
"externalUserStateChangeDateTime": null,
"userType": "Member",
"extension_xxx_language": "Russian",
"employeeOrgData": null,
"passwordProfile": null,
"assignedLicenses": [],
"assignedPlans": [],
"deviceKeys": [],
"identities": [
{
"signInType": "userPrincipalName",
"issuer": "admintwilio.onmicrosoft.com",
"issuerAssignedId": "testuser@admintwilio.onmicrosoft.com"
}
],
"onPremisesExtensionAttributes": {
"extensionAttribute1": null,
"extensionAttribute2": null,
"extensionAttribute3": null,
"extensionAttribute4": null,
"extensionAttribute5": null,
"extensionAttribute6": null,
"extensionAttribute7": null,
"extensionAttribute8": null,
"extensionAttribute9": null,
"extensionAttribute10": null,
"extensionAttribute11": null,
"extensionAttribute12": null,
"extensionAttribute13": null,
"extensionAttribute14": null,
"extensionAttribute15": null
},
"onPremisesProvisioningErrors": [],
"provisionedPlans": []
}
If you don’t change the API version to beta, you’ll only get a handful of user properties instead of the full list.
Create a Claims Mapping Policy
We can now create our claims mapping policy. For an example claim definition and a walkthrough of its key configuration properties, see "Example Claims Policy Definition".
Run the following Graph Explorer query. Make sure to:
- Click on the Request body tab and enter the JSON in the Request body field. Make the following changes:
- Replace the
<Claim_Policy_Name>with the name you want to use for this policy. - Replace the example escaped and minified JSON with your claims policy definition. On your definition, make sure to:
- Replace the
Example Request
HTTP method: POST
API version: v1.0
Endpoint URL: https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Request body:
{
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"full_name\"},{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\":\"roles\"},{\"Source\":\"user\",\"ID\":\"mail\",\"SamlClaimType\":\"email\"},{\"Source\":\"user\",\"ExtensionID\":\"extension_<App_ID>_<Property_Name>\",\"SamlClaimType\":\"<Claim_Attribute_Name>\"}]}}"
],
"displayName": "<Claim_Policy_Name>",
"isOrganizationDefault": false
}Click Run query. In the JSON response, copy the claims mapping policy "id" value and paste it somewhere you can reference it.
Example Response
201 Created
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/claimsMappingPolicies/$entity",
"id": "xxx",
"deletedDateTime": null,
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"full_name\"},{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\":\"roles\"},{\"Source\":\"user\",\"ID\":\"mail\",\"SamlClaimType\":\"email\"},{\"Source\":\"user\",\"ExtensionID\":\"extension_xxx_exampleproperty\",\"SamlClaimType\":\"exampleclaimattribute\"}]}}"
],
"displayName": "Example Claim Policy Name",
"isOrganizationDefault": false
}Assign Claims Mapping Policy to Application
Finally, we can assign the Claims Mapping Policy we just created to your Enterprise Application.
Once you assign a Claims Mapping Policy to an Enterprise Application using Graph API or Powershell, you can no longer manage SAML claims in the Azure AD portal. Accessing the SAML claims configuration page in the Azure AD portal will result in the following error message:
"This configuration was overwritten by a claim mapping policy created via Graph/PowerShell."
Run the following Graph Explorer query. Make sure to:
- Replace
<Service_Principal_Entity_ID>with your previously retrieved Service Principal Entity ID from the "Gather supporting IDs" section. - Click on the Request body tab to add the JSON in the Request body field.
- Replace
<Claims_Mapping_Policy_ID>with the ID you noted previously.
- Replace
Example Request
HTTP method: POST
API version: v1.0
Endpoint URL: https://graph.microsoft.com/v1.0/servicePrincipals/<Service_Principal_Entity_ID>/claimsMappingPolicies/$ref
Request body:
{
"@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/<Claims_Mapping_Policy_ID>"
}
- Click Run query and in the JSON response, look for the array object whose "appDisplayName" value matches your Enterprise Application name.
- Copy the "id" value and paste it somewhere you can reference it.
Example Response
204 {}Test New Claims Mapping Policy
With all of the above sections completed, you are now ready to login to Flex and test the new claims mapping policy.
- Navigate to the Flex Console Single Sign-on settings page.
- When redirected to Azure AD for authentication, log in with the AD user account you assigned the extension property to previously in this guide.
- After logging in and the Flex UI has loaded, check the TaskRouter worker attributes in the Twilio Console ( TaskRouter -> Workspace -> Workers).
If you’re seeing all the expected attributes you've defined in the Claims Mapping Policy, you have successfully configured your custom claims.
If any attributes are missing, examine the SAML response payload after authenticating to Azure AD. Ensure all the attributes are included, and that they have values, and that the “Name” parameter is correct for each of them.
As explained in the Twilio Flex Azure AD SSO guide, if the “Name” parameter on an attribute includes the namespace, it will be ignored. Double check your Claims Mapping Policy definition and ensure the "SamlClaimType" is defined without a namespace for each claim you want to be captured as a TaskRouter worker attribute.
Unassign Claims Mapping Policy from Application
If you no longer need or want to pass custom extension properties as SAML claims and you’d like to manage claims in the Azure AD portal, or you want to assign a different Claims Mapping Policy to your Enterprise application, you will need to unassign the current Claims Mapping Policy from the application.
Run the following Graph Explorer query. Make sure to:
- In the URL field, replace
<Service_Principal_Entity_ID>with your previously retrieved Service Principal Entity ID from the "Gather supporting IDs" section.
Example Request
HTTP method: DELETE
API version: v1.0
Endpoint URL: https://graph.microsoft.com/v1.0/servicePrincipals/<Service_Principal_Entity_ID>/claimsMappingPolicies/<Claims_Mapping_Policy_ID>/$ref
Click Run query.
Example Response
204 {}To verify there are no Claims Mapping Policies assigned to your application, run the following query using the same Service Principal Entity ID.
Example Request
HTTP method: GET
API version: 1.0
Endpoint URL: https://graph.microsoft.com/v1.0/servicePrincipals/<Service_Principal_Entity_ID>/claimsMappingPolicies
In the JSON response, the "value" property should now show an empty array.
Example Claims Policy Definition
For the claim definition JSON object in "Create a Claims Mapping Policy", let’s walk through an example definition and some key configuration properties.
For walkthrough purposes, we are displaying an unminified and unescaped claims policy definition. When creating a claims policy in Graph Explorer, you need to minify and escape the JSON object before adding it to the “definition” array. This removes traces of offending characters that could prevent parsing.
{
"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet": "true",
"ClaimsSchema": [
{
"Source": "user",
"ID": "userprincipalname",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
},
{
"Source": "user",
"ID": "displayname",
"SamlClaimType": "full_name"
},
{
"Source": "user",
"ID": "assignedroles",
"SamlClaimType": "roles"
},
{
"Source": "user",
"ID": "mail",
"SamlClaimType": "email"
}, {
"Source": "user",
"ExtensionID": "extension__",
"SamlClaimType": ""
}
]
}
}
}Let's take a look at the key properties in the example definition:
| Property | Description |
IncludeBasicClaimSet |
Controls whether all claims in the basic claim set are included in the token generated by applications using this policy. For more details, see Azure's documentation. |
ClaimsSchema |
Make sure to include the required attributes for Flex:
|
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.
