使用 Microsoft Graph 中的声明映射策略自定义声明

2025-07-24

可以添加额外的用户属性来访问令牌，以帮助应用做出更好的授权决策。本文介绍如何使用 Microsoft Graph API 创建和分配声明映射策略，添加自定义声明以访问令牌，以及验证令牌中的自定义声明。

先决条件

若要完成本教程，需要：

访问图形资源管理器等 API 客户端，使用具有应用程序管理员角色的 Microsoft Entra 帐户登录，并授予以下委派权限：Policy.Read.All、Policy.ReadWrite.ApplicationConfiguration 和 Application.ReadWrite.All。
要向其分配声明映射策略的客户端服务主体。
公开 API 的资源服务主体。

创建声明映射策略

此策略将 department 用户对象的声明添加到令牌。

请求

POST https://graph.microsoft.com/beta/policies/claimsMappingPolicies
Content-type: application/json

{
 "definition": [
   "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"}]}}"
 ],
 "displayName": "ExtraClaimsTest"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new ClaimsMappingPolicy
{
	Definition = new List<string>
	{
		"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"}]}}",
	},
	DisplayName = "ExtraClaimsTest",
};

// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.ClaimsMappingPolicies.PostAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewClaimsMappingPolicy()
definition := []string {
	"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"}]}}",
}
requestBody.SetDefinition(definition)
displayName := "ExtraClaimsTest"
requestBody.SetDisplayName(&displayName) 

// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
claimsMappingPolicies, err := graphClient.Policies().ClaimsMappingPolicies().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ClaimsMappingPolicy claimsMappingPolicy = new ClaimsMappingPolicy();
LinkedList<String> definition = new LinkedList<String>();
definition.add("{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"}]}}");
claimsMappingPolicy.setDefinition(definition);
claimsMappingPolicy.setDisplayName("ExtraClaimsTest");
ClaimsMappingPolicy result = graphClient.policies().claimsMappingPolicies().post(claimsMappingPolicy);


const options = {
	authProvider,
};

const client = Client.init(options);

const claimsMappingPolicy = {
 definition: [
   '{\"ClaimsMappingPolicy\':{\'Version\':1,\'IncludeBasicClaimSet\':\'true\",\"ClaimsSchema\':[{\'Source\':\'user\",\"ID\':\'department\",\"JwtClaimType\':\"department\"}]}}"
 ],
 displayName: 'ExtraClaimsTest'
};

await client.api('/policies/claimsMappingPolicies')
	.version('beta')
	.post(claimsMappingPolicy);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ClaimsMappingPolicy;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ClaimsMappingPolicy();
$requestBody->setDefinition(['{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"}]}}', 	]);
$requestBody->setDisplayName('ExtraClaimsTest');

$result = $graphServiceClient->policies()->claimsMappingPolicies()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Identity.SignIns

$params = @{
	definition = @(
	'{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"department","JwtClaimType":"department"}]}}'
)
displayName = "ExtraClaimsTest"
}

New-MgBetaPolicyClaimMappingPolicy -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.claims_mapping_policy import ClaimsMappingPolicy
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ClaimsMappingPolicy(
	definition = [
		"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"}]}}",
	],
	display_name = "ExtraClaimsTest",
)

result = await graph_client.policies.claims_mapping_policies.post(request_body)

响应

记录响应中的 ID，以便本文稍后使用。

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/claimsMappingPolicies/$entity",
  "id": "06d5d20d-2955-45f8-a15d-cf2f434b8116",
  "deletedDateTime": null,
  "definition": [
      "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"}]}}"
  ],
  "displayName": "ExtraClaimsTest",
  "isOrganizationDefault": false
}

还可以向策略添加多个属性。以下示例将和 companyname 声明添加到department令牌。

{
  "definition": [
        "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"department\",\"JwtClaimType\":\"department\"},{\"Source\":\"user\",\"ID\":\"companyname\",\"JwtClaimType\":\"companyname\"}]}}"
    ],
 "displayName": "ExtraClaimsTest"
}

将策略分配给资源服务主体

以下请求将声明映射策略分配给服务主体。成功的响应将 204 No Content返回。

POST https://graph.microsoft.com/v1.0/servicePrincipals/3bdbbc1a-5e94-4c2b-895f-231d8af4beee/claimsMappingPolicies/$ref
Content-type: application/json

{
 "@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ReferenceCreate
{
	OdataId = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116",
};

// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.ServicePrincipals["{servicePrincipal-id}"].ClaimsMappingPolicies.Ref.PostAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116"
requestBody.SetOdataId(&odataId) 

// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").ClaimsMappingPolicies().Ref().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.ReferenceCreate referenceCreate = new com.microsoft.graph.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116");
graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").claimsMappingPolicies().ref().post(referenceCreate);


const options = {
	authProvider,
};

const client = Client.init(options);

const claimsMappingPolicy = {
 '@odata.id': 'https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116'
};

await client.api('/servicePrincipals/3bdbbc1a-5e94-4c2b-895f-231d8af4beee/claimsMappingPolicies/$ref')
	.post(claimsMappingPolicy);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116');

$graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->claimsMappingPolicies()->ref()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116"
}

New-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
	odata_id = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/06d5d20d-2955-45f8-a15d-cf2f434b8116",
)

await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').claims_mapping_policies.ref.post(request_body)

在资源应用程序对象中启用映射声明

更新应用程序对象以接受映射声明并使用访问令牌版本 2。成功的响应将 204 No Content返回。

PATCH https://graph.microsoft.com/v1.0/applications/3dfbe85f-2d14-4660-b1a2-cb9c633ceebb
Content-type: application/json

{
  "api": {
    "acceptMappedClaims": true,
    "requestedAccessTokenVersion": 2
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	Api = new ApiApplication
	{
		AcceptMappedClaims = true,
		RequestedAccessTokenVersion = 2,
	},
};

// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
api := graphmodels.NewApiApplication()
acceptMappedClaims := true
api.SetAcceptMappedClaims(&acceptMappedClaims) 
requestedAccessTokenVersion := int32(2)
api.SetRequestedAccessTokenVersion(&requestedAccessTokenVersion) 
requestBody.SetApi(api)

// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
ApiApplication api = new ApiApplication();
api.setAcceptMappedClaims(true);
api.setRequestedAccessTokenVersion(2);
application.setApi(api);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
  api: {
    acceptMappedClaims: true,
    requestedAccessTokenVersion: 2
  }
};

await client.api('/applications/3dfbe85f-2d14-4660-b1a2-cb9c633ceebb')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\ApiApplication;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$api = new ApiApplication();
$api->setAcceptMappedClaims(true);
$api->setRequestedAccessTokenVersion(2);
$requestBody->setApi($api);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	api = @{
		acceptMappedClaims = $true
		requestedAccessTokenVersion = 2
	}
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.api_application import ApiApplication
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	api = ApiApplication(
		accept_mapped_claims = True,
		requested_access_token_version = 2,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

测试访问令牌

在允许你遵循 Microsoft 标识平台和 OAuth 2.0 授权代码流的 API 客户端中，获取访问令牌。在 scope 参数中，包括资源服务主体公开的范围之一，例如 openid profile email scope-defined-by-your-api ，可能为 scope-defined-by-your-apiapi://00001111-aaaa-2222-bbbb-3333cccc4444/test。

使用 jwt.ms 解码访问令牌。声明 department 应出现在令牌中。

清理资源

若要从服务主体取消分配声明映射策略，请使用以下请求。成功的响应将 204 No Content返回。

DELETE https://graph.microsoft.com/v1.0/servicePrincipals/3bdbbc1a-5e94-4c2b-895f-231d8af4beee/claimsMappingPolicies//06d5d20d-2955-45f8-a15d-cf2f434b8116/$ref

反馈

此页面是否有帮助？