azure-active-directorymicrosoft-entra-idhttp-token-authentication

How can I add a custom attribute to the Entra ID access token?


I'm trying to add custom attributes to my authentication token but I'm running into an issue with adding custom attribute. I've tried the methods suggested in:

but no luck.

I'm using Postman with this API:

https://login.microsoftonline.com/<tenand-id>/oauth2/v2.0/token

with payload:

grant_type:password
client_id:****
scope:https://graph.microsoft.com/.default
username:****
password:****
client_secret:***

Can anyone help me with this specific issue or suggest an alternative approach?

In token I receive:

***
  "family_name": "**",
  "given_name": "**",
  "idtyp": "user",
  "ipaddr": "**",
  "name": "***",
  ***

How can I add employeeId attribute in token? With this link: [https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-add-attributes-to-token] I add in "Single sign-on" > Attributes & Claim > Add new Claim > added name, Source=Attribute, Advanced SAML token in addition check and Save.


Solution

  • To display employeeid as claim in the access token, check the below:

    Use the below PowerShell script to create a policy and to assign to the application:

    Connect-AzureAD
    
    $claimsMappingPolicy = [ordered]@{
    "ClaimsMappingPolicy" = [ordered]@{
    "Version" = 1
    "IncludeBasicClaimSet" = $true
    "ClaimsSchema" = @(
    [ordered]@{
    "Source" = "user"
    "ID" = "employeeid"
    "JwtClaimType" = "employeeid"
    }
    )
    }
    }
    
    $appID = "AppID" 
    $policyName = "Add employeeid to JWT claims"
    
    $sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
    
    $existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
    | Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
    if ($existingPolicies) {
    $existingPolicies | Remove-AzureADPolicy
    }
    
    $policyDefinition = $claimsMappingPolicy | ConvertTo-Json -Depth 99 -Compress
    $policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
    
    Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
    

    enter image description here

    Note that: Custom claims are displayed only when you generate the token for your application, not another app like Microsoft Graph API. Refer this MsDoc

    Hence, Expose an API and add scope like below:

    enter image description here

    Grant API permissions:

    enter image description here

    Make sure to update Manifest by setting below values:

    "acceptMappedClaims": true
    AND
    "requestedAccessTokenVersion": 2
    

    For sample, I generated access token using Authorization code (as my tenant has MFA enabled can't use ROPC flow):

    Grant type: Authorization code 
    
    Callback URL: https://oauth.pstmn.io/v1/callback
    Auth URL:  https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
    Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
    Client ID : ClientId
    Client Secret : ClientSecret
    Scope: api://ClientID/Claims.Read
    

    enter image description here

    enter image description here

    When I decoded the token, employeeid claim is successfully displayed:

    enter image description here