How can I add a custom attribute to the Entra ID access token?
I'm trying to add custom attributes to my authentication token but I'm running into an issue with adding custom attribute. I've tried the methods suggested in:
- Issue to add custom claim "samaccountname" into azure ad
- Issue to add custom claim "samaccountname" into azure ad
- https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-add-attributes-to-token
but no luck.
I'm using Postman with this API:
https://login.microsoftonline.com/<tenand-id>/oauth2/v2.0/token
with payload:
grant_type:password
client_id:****
scope:https://graph.microsoft.com/.default
username:****
password:****
client_secret:***
Can anyone help me with this specific issue or suggest an alternative approach?
In token I receive:
***
"family_name": "**",
"given_name": "**",
"idtyp": "user",
"ipaddr": "**",
"name": "***",
***
How can I add employeeId attribute in token? With this link: [https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-add-attributes-to-token] I add in "Single sign-on" > Attributes & Claim > Add new Claim > added name, Source=Attribute, Advanced SAML token in addition check and Save.
To display employeeid as claim in the access token, check the below:
Use the below PowerShell script to create a policy and to assign to the application:
Connect-AzureAD
$claimsMappingPolicy = [ordered]@{
"ClaimsMappingPolicy" = [ordered]@{
"Version" = 1
"IncludeBasicClaimSet" = $true
"ClaimsSchema" = @(
[ordered]@{
"Source" = "user"
"ID" = "employeeid"
"JwtClaimType" = "employeeid"
}
)
}
}
$appID = "AppID"
$policyName = "Add employeeid to JWT claims"
$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
| Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
$existingPolicies | Remove-AzureADPolicy
}
$policyDefinition = $claimsMappingPolicy | ConvertTo-Json -Depth 99 -Compress
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Note that: Custom claims are displayed only when you generate the token for your application, not another app like Microsoft Graph API. Refer this MsDoc
Hence, Expose an API and add scope like below:
Grant API permissions:
Make sure to update Manifest by setting below values:
"acceptMappedClaims": true
AND
"requestedAccessTokenVersion": 2
For sample, I generated access token using Authorization code (as my tenant has MFA enabled can't use ROPC flow):
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Client ID : ClientId
Client Secret : ClientSecret
Scope: api://ClientID/Claims.Read
When I decoded the token, employeeid claim is successfully displayed:
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C
- Custom Claims in a Multitenant Microsoft Entra App
- Get error "You do not have elevated access" when try to postpone MFA enforcement
- How to bulk create/import users in Azure AD so that all of them can have single sign on to my SF sandbox?
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- Azure AD Authentication 401 error "the audience is invalid" AddAzureADBearer .Net Core Web Api
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- How to get users info list from Azure AD app by calling Microsoft Graph API from ASP.NET Core Web API?
- Updating App Registration's Configured permission without overwritten existing values
- Missing Environment Variable 'BOT_ID' While Registering Microsfot Teams Bot App, while using Teams tool Kit template
- Error on integration with SSO Azure AD (BrowserAuthError: uninitialized_public_client_application)
- How to handle token expiry in azure msal react?
- Cannot add MFA in the Entra Admin Center
- Keycloak with AzureAD how to change the IDP user ID / IDP Links
- "Use a tenant-specific endpoint or configure the application to be multi-tenant" when signing into my Azure website
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- Do I need to implement the server or client of SCIM2.0?
- Connect-ExchangeOnline UnAuthorized
- API Management OAuth 2.0 configuration issue
- minimum permissions that are required for serviceprincipal account to enumerate user profile info
- "AADSTS9002313: Invalid request. Request is malformed or invalid
- Azure AD Authentication redirects me to "{domain}/.auth/login/done" after "{domain}/.auth/login/aad/callback"?