Search code examples
azure-active-directoryjwtmicrosoft-entra-id

How to add a custom claim to Azure AD dispensed JWT access token

myApplication authenticates and fetch a JWT access token from Azure AD. BackendSystem is authorizing myApplication based on the claims in JWT access token.

Decoded JWT

{
  "aud": "abc",
  "iss": "https://sts.windows.net/6xxxf/",
  "iat": 1721983095,
  "nbf": 1721983095,
  "exp": 1721986995,
  "aio": "Exx=",
  "appid": "ID",
  "appidacr": "x",
  "idp": "https://sts.windows.net/6xxxf/",
  "oid": "1xxx2",
  "rh": "0xxx.",
  "roles": [
    "roles"
  ],
  "sub": "1xxx2",
  "tid": "TID",
  "uti": "YxxA",
  "ver": "xxx"
}

In this list of claims, I would like to add a new custom claim Example which is not part of the additional standard claims that are offered by Azure AD.

New JWT:

{
  "aud": "abc",
  "iss": "https://sts.windows.net/6xxxf/",
  "iat": 1721983095,
  "nbf": 1721983095,
  "exp": 1721986995,
  "aio": "Exx=",
  "appid": "ID",
  "appidacr": "x",
  "idp": "https://sts.windows.net/6xxxf/",
  "oid": "1xxx2",
  "rh": "0xxx.",
  "roles": [
    "roles"
  ],
  "sub": "1xxx2",
  "tid": "TID",
  "uti": "YxxA",
  "ver": "xxx",
  "Example": "abc-123"
}

I'm new to Azure AD and found option to add only the optional standard claims (given_name, family_name, etc.) offered by Azure AD. How can I implement this?

Please note: This is not for SSO. myApplication will not be sending this additional custom claim in the request to Azure AD.

Solution

  • Based on the decoded token you provided, you are using client credential flow to generate access token.

    Note that: Adding custom attribute or claims is not supported in client credential flow. Refer this Microsoft QnA by Shweta Mathur.

    • Only claims that can be used in the custom mapping policy for client credential flow is displayname, objectid and tags.
    • Hence it is not feasible to customize the claim using client credential flow.

    Hence you can add only the above-mentioned claims in the token by creating claim mapping policy like below:

    Create a policy:

    New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"ClaimsSchema":[
{"Source": "application","ID": "DisplayName","JwtClaimType": "AppName"}]}}') -DisplayName "Claim-displayname" -Type "ClaimsMappingPolicy"

    Assign the policy to Service Principal:

    Add-AzureADServicePrincipalPolicy -Id SPObjID -RefObjectId PolicyID

    enter image description here

    Now I generated token via client credential flow:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope↵:api://xxx/.default
grant_type:client_credentials

    enter image description here

    When decoded the token, custom claim is displayed:

    enter image description here

    • But you cannot create claim based on your requirement and get it in the token.

    Reference:

    azure - Entra External ID custom claim in client id token not in ASP.NET Core Web API User's ClaimsPrincipal - Stack Overflow by me