How to add custom claims to Azure AD users
I am developing a web application that uses Microsoft Azure AD (Entra) as identity server for single sign-in. So I have users defined in Azure AD.
Now I want to add additional properties or claims to each user, ie. I want to add these two claims to each user: claim(property)Name = ExternalServiceUserId claim(property)Name = ExternalServicePassword
So then I can add those informations in the Azure Portal to each user, and get them in my application by using Microsoft Graph API.
IE. lets say that I have two users (User1, User2): So I want to be able to add:
User1.ExternalServiceUserId = "someUserId"
User1.ExternalServicePAssword= "somePassword"
User2.ExternalServiceUserId = "someUserId2"
User2.ExternalServicePAssword= "somePassword2"
And I want to add these properties and their values through the Azure portal.
How to do so?
Note that: AFAIK there is no way to create or assign custom claims to the user via Azure Portal.
You can create extensions for the application using Microsoft Graph API or PowerShell:
POST https://graph.microsoft.com/v1.0/applications/appObjID/extensionProperties
Content-type: application/json
{
"name": "ExternalServiceUserId",
"dataType": "String",
"targetObjects": [
"User"
]
}
Assign the value to the user:
PATCH https://graph.microsoft.com/v1.0/users/UPN
Content-type: application/json
{
"extension_XXX_ExternalServiceUserId": "333333"
}
Do the same with ExternalServicePAssword and assign to the user:
PATCH https://graph.microsoft.com/v1.0/users/UPN
Content-type: application/json
{
"extension_XXX_ExternalServicePAssword": "XXX"
}
Do the same with other user and assign the values to the User2.
Now configure optional claims in the application:
For sample, I generated access token via Postman:
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Client ID : ClientId
Client Secret : ClientSecret
Scope: api://ClientID/Claims.Read
When I decoded the access token, I am able to get the custom claims successfully:
- Make sure to generate access token for the API as scope not for Microsoft Graph API.
- Custom claims are displayed when token is generated by the API scope.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?