Custom Claims in a Multitenant Microsoft Entra App
I have a "multitenant and personal" Entra app that should allow users with all kinds of Microsoft accounts to log into it.
I need to add some custom claims to the ID token returned by this app (specifcially, the user.jobtitle and user.officelocation claims). I've done this by adding "Additional Claims" for the app in question in the Microsoft Entra Admin Center, as detailed here. The configuration looks like so:
Since this is a multitenant app, I have to configure custom signing keys as detailed here. I've done that with the Microsoft-provided Powershell script.
With these configurations in place, I can now get an OIDC ID token. However, there's a major limitation.
The ID token only includes the new custom claims for users in the same tenant that the app exists. i.e. if the app is in tenant aaaa-....-aaaa and I authenticate using a Microsoft account (that has values for the Job Title and Office Location properties) in tenant aaaa-...-aaaa, the values are included as claims in the ID token. But, if I authenticate using a Microsoft account (that also has these same properties populated) from tenant bbbb-...-bbbb, these claims are not included.
I cannot figure out why; it's a multi-tenant app and the custom claims are configured on the app itself, not on the Entra user directory or something else that would be specific to my tenant.
How can I get these custom claims for users from all tenants, instead of just my own?
For sample, I created a Multitenant application and added custom claims like below:
I generated tokens via Postman:
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID : ClientID
Client Secret : ClientSecret
Scope: api://ClientID/.default openid
I signed in with the home tenant user that is the user exists in the tenant where the app resides, and I got the claims successfully:
ID Token:
Now when I tried to sign in with other tenant user, claims are not displayed:
ID Token:
Note that: Custom claims are tenant specific by default. If the claims are created in the
TenantAthen only the users residing inTenantAwill get the claims in token.
- Every tenant has its own set of claims and attribute mappings and hence claims configured in one tenant might not be available in another tenant.
To resolve the issue, you need to add the claims in the Enterprise application or Service Principal created in the other tenant like below:
Now the custom claims are displayed successfully for another tenant user too:
The claims are displayed in access token too.
Reference: