How do I add claims from my custom claims provider to Entra External ID/Azure AD access tokens?
I have added a custom claims provider API (following these articles: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/concept-custom-extensions and https://learn.microsoft.com/en-us/azure/active-directory/develop/custom-extension-get-started) to add a few claims from an external system to access tokens. The problem is that only these custom claims only gets added to the ID tokens and not the access tokens returned.
I am using a new Entra External Identities for Customers tenant, that I set up a few weeks ago, and I'm fairly new to authentication and authorization, so I'm not sure that my expectation of being able to add custom claims to the access token is feasible. It is however needed for my use case where I have to consider decisions being made a long time ago.
I've tried using both the sample SPA sign-in and device code flow samples, but neither of them have the custom claims in the access token, only in the ID token.
Earlier this year, I'm fairly certain I managed to add custom claims to access tokens using Azure AD B2C API Connectors (https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-api-connector-token-enrichment). Maybe I will have to use that approach instead.
I created a Function app, created an HTTPS trigger function, and edited the code like below:
Created a custom extension:
Registered Azure AD Application:
Configured the custom claims in the Enterprise Application:
I used an implicit grant flow to generate tokens:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=id_token+token&redirect_uri=https://jwt.ms&scope=openid&state=12345&nonce=12345
The claims displayed in the ID token but when I checked the access token, claims are not displayed:
How do I add claims from my custom claims provider to Entra External ID/Azure AD access tokens?
To get the custom claims in the access token, you must generate the access token for your own application. The access token generated for other API such as Microsoft Graph, SharePoint etc. doesn't contain the custom claims. Refer to this Microsoft Docs page for more information.
Hence to get the custom claims in the access token, I exposed an API in the Azure AD Application like below:
Grant API permissions:
Now I generated tokens by passing the scope as api://ClientID/.default openid:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=id_token+token&redirect_uri=https://jwt.ms&scope=api://ClientID/.default openid&state=12345&nonce=12345
Now when I decoded access token and ID token custom claims are displayed successfully:
Access Token:
ID Token:
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered
- Azure AD permissions for MS Forms
- ASP.NET Core app running on IIS gives Http Error 401.2-Unauthorize
- Azure Active Directory skip account selection on logout
- Azure active directory - Get access token using Azure CLI
- How to do azure single sign on with next.js 14 and App Router
- Azure B2C / WPF - Handling a failed MFA verification flow
- How do I display Job Title in my Next Auth app
- Login failed for user identified principal
- What does "grant admin consent" button do in azure Azure Active Directory application?
- Azure AD Graph API or Powershell Graph: Gathering all the assigned roles that are associated to a group
- Azure AD user unable to connect to Azure SQL Error: 18456,State:1,Class:14
- Is there a way to add the sam_account_name of a user in the id_token claims?
- No users to select from the list in Azure Role assignments using Resource Group Owner
- Azure pipelines cannot connect to Azure SQL via AD/Entra using a custom console application
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD