Claim rules for Azure AD federation trust

Hey folks!

First and foremost, thanks for the feedback that is coming through, it is super helpful. Please keep it coming.

In today’s post, I am going to talk about the changes we have done to the Azure AD Claims tool on AD FS Help. Azure AD Connect is the tool recommended for managing your federation trust between AD FS and Azure AD. The AD FS team at Microsoft keeps on improving the management feature of federation trust in Azure AD Connect to make sure it is robust and up-to-date w.r.t. the latest guidelines and features. One of the key aspects is the required set of claim rules on the federation trust. Azure AD Connect makes sure the claim rules and settings of the federation trust between Azure AD and AD FS are always in compliance with the latest guidelines.

If for some very compelling reason you cannot manage your federation trust with Azure AD Connect, you can now use Azure AD Claims to generate the right set of claim rules for your federation trust. Whether you are setting up a new federation trust, re-creating or repairing, you can use the tool to ensure you have the same set of claim rules as Azure AD Connect provides.

With the latest changes to the Azure AD Claims tool, you can choose the sourceAnchor and userprincipalname similar to the options you get in Azure AD Connect.



Apart from the sourceAnchor and alternateID scenario, one of the most error-prone areas is getting the claim rules right in a multi-domain federation scenario. Again, Azure AD Connect takes care of the multi-domain federation and claims required when you manage your federation trust with it. Coming back to Azure AD Claims, the AD FS Help has now made it super easy to provide input about your federated domains. Simply copy the PowerShell script provided and upload the resulting CSV to AD FS Help. As soon as you upload the CSV, a table will list the domains and you can edit the list of domains as required:



Click on Generate Claims will generate the required claims tailored to your configuration as per the input provided.


The output is divided into 3 parts for your reference:

  1. IssuerID Regex: if this is the only part you are trying to confirm in case of multiple domain federation, this is the only info you are looking for.
  2. PowerShell for Claims: Easy PowerShell script for setting the resulting claims on federation trust in your environment.
  3. Claim Rules: Individual claim rules listed for easy reference.

Super cool right? Try it out and provide your feedback.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s