Does Azure's EntraID support dynamic custom claims?
I need to dynamically add a custom claim to a token requested from EntraId for intra-application authentification.
I have an azure api management (apim) instance that authenticates a client request via the given subscription key. The subscription key is linked to a product and i need to pass on this product information to my backend api, which is a data-api-builder (dab) instance. Dab accepts jwt authentication and accepts custom roles if they are present in the jwt and the X-MS-API-ROLE header.
Hence my idea was to have apim request a token (client_credentials flow) from EntraId with the custom role claim dynamically set in the request and pass on the token.
<set-body>@{
return "client_id={client_id}" +
"&client_secret={client_secret}" +
"&scope=api://{app_id}/.default" +
"&grant_type=client_credentials" +
"&claims=" + Uri.EscapeDataString("{\"roles\":\"" + context.Variables["productId"] + "\"}");
}</set-body>
Unfortunately, it seems that, while entraid does issue a token with the correct audience, my custom claims are simply omitted. My research seems to indicate that the client_credentials grant type does not support custom claims. Is this correct?
How could I work around this limitation of the identity provider?
Note that: If you are making use of Client Credential flow, then you cannot configure custom claims or dynamic custom claims.
- Claims like
displayname,objectidandtagscan only be used in the custom mapping policy for client credential flow.
If you want to add the above claims, then check the below:
Create a policy:
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"ClaimsSchema":[
{"Source": "application","ID": "DisplayName","JwtClaimType": "AppName"}]}}') -DisplayName "Claim-displayname" -Type "ClaimsMappingPolicy"
Assign the policy to Service Principal:
Add-AzureADServicePrincipalPolicy -Id SPObjID -RefObjectId PolicyID
Generated token via client credential flow:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope↵:api://xxx/.default
grant_type:client_credentials
When decoded the token, custom claim is displayed:
- As you want the claims to be added dynamically by APIM on request to Entra ID, then you need to configure a custom identity provider.
Reference:
using client credential flow, how can I add a custom claim to the access token - Microsoft Q&A by Shweta Mathur.
- How to set up a Low Disk Space alert with the new Azure Monitor agent to trigger when a specific disk drive is low on free space?
- Azure Cosmos DB - Understanding Partition Key
- Get the permissions of users with respect to the repositories via the API of ADO
- Azure graph api to search groups whose displayName contains a specific term
- Azure Functions with VS Code and Python: ModuleNotFoundError: No module named 'azure.storage'
- Azure APIM - VNET injection vs inbound private endpoint, what is a difference?
- My mern project is not running in azure web app
- Split multiple tables from a single sheet in excel using data flows
- How to reduce your outbound ip address list for azure web app to add ip address to Flexible PostregSQL server firewall
- Not able to send localized push notification from Azure Notification Hub after migrating to FCMv1 from FCM Legacy API
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Azure monitor open telemetry python package raising exception when python app deployed on Azure
- Azure Document Intelligence - RequestFailedException: 'Resource not found Status: 404 (Not Found)
- Parameterize runOnStartup in function.json
- Trouble Passing Boolean Values in Azure Data Factory JSON Template
- Managed Identity for Cosmos DB: "Local Authorization is disabled. Use an AAD token to authorize all requests"
- SFTP connectivity via Jsch fails with "Auth fail for methods 'publickey'"
- How can I add email recipients to a Graph API request programmatically?
- Getting an UnsupportedClassVersionError after updating Java 17 to Java 21
- Issue during update azure vmss trough rest api using curl
- How can I define compile time constants in bicep configuration language?
- How to redact Indian Aadhaar Number, Brazilian CPF number or any other such PII using azure language service
- Timezone error creating SQL instance in Azure using Terraform
- Does Azure's EntraID support dynamic custom claims?
- Can't provide NuGet package source credentials to Azure Function
- How can I use Terraform to run a script to initialise the database on a newly-created Azure mssql_virtual_machine?
- Creating External table in Azure SQL Database using ADLS2 Datasource
- Issue uploading files to S3 from Django in Docker
- Azure DevOps pipeline continues to run despite removing schedule
- Azure Active Directory App service Principal create new client secret