Start using Claims X-Ray with Azure AD

Dusting this thing off to share a quick tip for Single Sign-On work. For a while now I’ve been a proponent of using Claims X-Ray for interrogating/troubleshooting AD FS Claims. The tool is created by the AD FS / Azure AD team, and I have always found it to be a massive help. However, I had never tried using it with Azure AD, and it isn’t really presented as a tool that you would use with Azure AD. Ultimately there is no reason you can’t though, and I am finding it just as useful as I do with AD FS (if not more so). When I say “more so”, consider that many attributes are not easily discoverable in the interface, in PowerShell, or with Graph queries. Even attributes as important as user.onPremisesSamAccountName are quite hard to find unless you know the Graph syntax, so in some cases it may be simplest to add an unknown Claim to Claims X-Ray and interrogate away.

Here’s a view of my configuration. It will literally take two minutes (by which I mean 4 minutes and 24 seconds in the first empirical data to arrive) to deploy in your labs, and there is no reason not to target it at All Users, since it only unveils their own data.

Navigate to Enterprise Applications in Azure AD

Add a Non-Gallery Application, and name it “Claims X-Ray”, or whatever you like.

Configure Single Sign-On

Configure SAML

Extract the Redirect URL and Identifier from the Claims X-Ray site

Open the Basic SAML configuration options

Paste in the Identifier from Claims X-Ray as Identifier (Entity ID). Paste in the Redirect URL as Reply URL (Assertion Consumer Service URL)

When this is Saved successfully, do not choose the testing option yet, as the application hasn’t been assigned.

Add All Users (or whichever Group you would like to target). Personally, I see little reason to target this narrowly in a test environment.

Test the application from the My Apps portal.

That’s it! You will see a response like this in the default configuration.

And you can even view the Raw token data if you need to look at things like the token format, etc.

Hope this helps! In my view this should become a standard part of anyone’s Azure AD test environment.

4 thoughts on “Start using Claims X-Ray with Azure AD”

  1. I’m an expert writer who loves to bring smiles to people’s face.

    Writing is what I do for a living and I am so passionate about this. I have worked with several organizations whose mission is to help people solve problems.
    I love traveling and have visited several countries in the past few years.
    I’m happy to have written several books that have contributed positively to the lives of many. My works are available in several parts of the world. And I’m currently working with service providers that help people save energy. Being a part of this team has open more opportunities for me to excel as a writer. I have worked with different people and met many clients as a professional.
    I can handle any kind of writing project and provide nothing but the best. People come to me all the time to ask if I can solve their writing problems and I accept. I find pleasure in assisting them to solve their problems as a professional.

    Professional Writer – Nannie – elearninag.com Corp

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.