SAML SSO, pass Restricted Claims
It would be good if you could specify a restricted claim to be passed to the relying party such as isCompliant etc if a user is on a managed device. Clearly these claims should not be modifiable.
Hello – Thanks for your feedback. We’re currently considering this request.
As a workaround for emitting the ‘upn’ claim, you could use the Optional claim capability in App registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-optional-claims
Why are they even restricted? Is there any reason? We want to replace ADFS by AzureAD ... but some apps process claims in that list.
Wally Juskevice commented
this would be useful
Lee, Matt (Wichita) commented
This would super useful for us as well. We have apps downstream from AAD that need to know what the management and compliance state of the device is and expect to get that in the OpenID Connect ID token or SAML token.
We don't want to block our users from accessing the apps based upon the values, but want the app to know what the state of the logged in users device is.