diff --git a/docs/img/azuread/azuread-8c-usernameclaim.png b/docs/img/azuread/azuread-8c-usernameclaim.png
index c4522140a05e5..884df14c9eca1 100644
Binary files a/docs/img/azuread/azuread-8c-usernameclaim.png and b/docs/img/azuread/azuread-8c-usernameclaim.png differ
diff --git a/docs/pages/admin-guides/access-controls/sso/azuread.mdx b/docs/pages/admin-guides/access-controls/sso/azuread.mdx
index 44cd2ba25d8fa..49f395f6e1377 100644
--- a/docs/pages/admin-guides/access-controls/sso/azuread.mdx
+++ b/docs/pages/admin-guides/access-controls/sso/azuread.mdx
@@ -92,14 +92,18 @@ Before you get started, you’ll need:
 
    ![Put in Security group claim](../../../../img/azuread/azuread-8b-groupclaim.png)
 
-1. Add a claim that transforms the format of the Azure AD username to lower case, in order to pass it to
-   Teleport. Set the Source to "Transformation". In the new panel:
+1. (optional) Add a claim that transforms the format of the Azure AD username to lower case, in order to use it inside
+   Teleport roles as the `{{external.username}}` property.
+
+   Set the Source to "Transformation". In the new panel:
 
    - Set the Transformation value to "Extract()"
 
    - Set the Attribute name to `user.userprincipalname`.
 
-   - Set the Value to `ToLowercase()`.
+   - Set the Value to `@`.
+
+   - Click "Add Transformation" and set the Transformation to `ToLowercase()`.
 
      ![Add a transformed username](../../../../img/azuread/azuread-8c-usernameclaim.png)