Custom claims for user from any tenant

Question

I am trying to get custom claims for any account (not just accounts in my azure tenant). I am using msal-node client.

When I log in directly into my tenant (notice the authority 'https://login.microsoftonline.com/f7a9.... (tenant id)/oauth2/v2.0/', contains the tenant id). I get an id token containing my two custom claims - account and userId:

Code:

const msalApp = new ConfidentialClientApplication({
auth: {
    clientId: '7eb... (app registration id)',
    authority: 'https://login.microsoftonline.com/f7a9... (tenant id)/oauth2/v2.0/',
    clientSecret: env.AZURE_CLIENT_SECRET,
},
})

// ....... redirect to microsoft

const authCodeUrl = await msalApp.getAuthCodeUrl({
    scopes: ["openid"],
    redirectUri: env.AUTH_REDIRECT_URL!,
})
throw redirect(303, authCodeUrl)

// ....... callback code handling:

const code = event.url.searchParams.get('code')
const tokenRequest = {
    code,
    scopes: ["openid"],
    redirectUri: env.AUTH_REDIRECT_URL!,
}
const authenticationResult = await msalApp.acquireTokenByCode(tokenRequest)
console.log(authenticationResult)

    

Token:

idTokenClaims: {
    aud: '7eb....',
    iss: 'https://login.microsoftonline.com/f7a9.../v2.0',
    iat: 1716458530,
    nbf: 1716458530,
    exp: 1716462430,
    aio: 'AaQAW...',
    idp: 'https://sts.windows.net/9188040d.../',
    name: '...',
    oid: '...',
    preferred_username: '...',
    rh: '...',
    sub: '...',
    tid: '...',
    uti: '...',
    ver: '2.0',
    account: 'Test Account',
    userId: '1'
  },

The only problem is, that I am not able to log in with an account from different tenant:

I can fix this by using common authority:

authority: 'https://login.microsoftonline.com/common/oauth2/v2.0/',

instead of

authority: 'https://login.microsoftonline.com/f7a9... (tenant id)/oauth2/v2.0/',

but then my custom claims are not added.

How can I create an app registration that has custom claims and allows login from any tenant or personal microsoft account? Is it even possible?

Info about my azure app:

This is how I configured my app:

]

I then followed the microsoft guide on creating custom claims provider

Answer 1

If you want any tenant user or Personal Microsoft account users to login, then you must configure the Microsoft Entra application by choosing "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" option

• Use common endpoint to generate the token and authorize the users.

Note that: Custom claims are, by default, tenant-specific. Therefore, if these claims are set up in the tenant A application, they will only be added for users from tenant A, not for users from other tenants.

• Custom claims configured in one tenant may not be accessible in another tenant, as each tenant maintains its own set of claims and attribute mappings.

Configured SAML claims:

When signed in with the home tenant user, the claim is displayed like below:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=https://jwt.ms&scope=api://xxxx/access_as_user&state=12345&nonce=12345

When signed in with the other tenant user, the access token did not contain the SAML claim:

Therefore, you must manually add the claims in the Enterprise application created in the other tenant, and this cannot be automated.

Added the custom claim in the Enterprise application created in another tenant:

The another tenant user's, access token contains SAML claim: