How to add custom claims to Azure AD users
I am developing a web application that uses Microsoft Azure AD (Entra) as identity server for single sign-in. So I have users defined in Azure AD.
Now I want to add additional properties or claims to each user, ie. I want to add these two claims to each user: claim(property)Name = ExternalServiceUserId claim(property)Name = ExternalServicePassword
So then I can add those informations in the Azure Portal to each user, and get them in my application by using Microsoft Graph API.
IE. lets say that I have two users (User1, User2): So I want to be able to add:
User1.ExternalServiceUserId = "someUserId"
User1.ExternalServicePAssword= "somePassword"
User2.ExternalServiceUserId = "someUserId2"
User2.ExternalServicePAssword= "somePassword2"
And I want to add these properties and their values through the Azure portal.
How to do so?
Note that: AFAIK there is no way to create or assign custom claims to the user via Azure Portal.
You can create extensions for the application using Microsoft Graph API or PowerShell:
POST https://graph.microsoft.com/v1.0/applications/appObjID/extensionProperties
Content-type: application/json
{
"name": "ExternalServiceUserId",
"dataType": "String",
"targetObjects": [
"User"
]
}
Assign the value to the user:
PATCH https://graph.microsoft.com/v1.0/users/UPN
Content-type: application/json
{
"extension_XXX_ExternalServiceUserId": "333333"
}
Do the same with ExternalServicePAssword and assign to the user:
PATCH https://graph.microsoft.com/v1.0/users/UPN
Content-type: application/json
{
"extension_XXX_ExternalServicePAssword": "XXX"
}
Do the same with other user and assign the values to the User2.
Now configure optional claims in the application:
For sample, I generated access token via Postman:
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Client ID : ClientId
Client Secret : ClientSecret
Scope: api://ClientID/Claims.Read
When I decoded the access token, I am able to get the custom claims successfully:
- Make sure to generate access token for the API as scope not for Microsoft Graph API.
- Custom claims are displayed when token is generated by the API scope.
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database