azure-active-directoryazure-ad-msalmicrosoft-entra-idazure-ad-b2b

How do I add claims from my custom claims provider to Entra External ID/Azure AD access tokens?


I have added a custom claims provider API (following these articles: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/concept-custom-extensions and https://learn.microsoft.com/en-us/azure/active-directory/develop/custom-extension-get-started) to add a few claims from an external system to access tokens. The problem is that only these custom claims only gets added to the ID tokens and not the access tokens returned.

I am using a new Entra External Identities for Customers tenant, that I set up a few weeks ago, and I'm fairly new to authentication and authorization, so I'm not sure that my expectation of being able to add custom claims to the access token is feasible. It is however needed for my use case where I have to consider decisions being made a long time ago.

I've tried using both the sample SPA sign-in and device code flow samples, but neither of them have the custom claims in the access token, only in the ID token.

Earlier this year, I'm fairly certain I managed to add custom claims to access tokens using Azure AD B2C API Connectors (https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-api-connector-token-enrichment). Maybe I will have to use that approach instead.


Solution

  • I created a Function app, created an HTTPS trigger function, and edited the code like below:

    enter image description here

    Created a custom extension:

    enter image description here

    Registered Azure AD Application:

    enter image description here

    Configured the custom claims in the Enterprise Application:

    enter image description here

    I used an implicit grant flow to generate tokens:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=id_token+token&redirect_uri=https://jwt.ms&scope=openid&state=12345&nonce=12345
    

    The claims displayed in the ID token but when I checked the access token, claims are not displayed:

    enter image description here

    How do I add claims from my custom claims provider to Entra External ID/Azure AD access tokens?

    To get the custom claims in the access token, you must generate the access token for your own application. The access token generated for other API such as Microsoft Graph, SharePoint etc. doesn't contain the custom claims. Refer to this Microsoft Docs page for more information.

    Hence to get the custom claims in the access token, I exposed an API in the Azure AD Application like below:

    enter image description here

    Grant API permissions:

    enter image description here

    Now I generated tokens by passing the scope as api://ClientID/.default openid:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=id_token+token&redirect_uri=https://jwt.ms&scope=api://ClientID/.default openid&state=12345&nonce=12345
    

    Now when I decoded access token and ID token custom claims are displayed successfully:

    Access Token:

    enter image description here

    ID Token:

    enter image description here