How can I add a custom attribute to the Entra ID access token?
I'm trying to add custom attributes to my authentication token but I'm running into an issue with adding custom attribute. I've tried the methods suggested in:
- Issue to add custom claim "samaccountname" into azure ad
- Issue to add custom claim "samaccountname" into azure ad
- https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-add-attributes-to-token
but no luck.
I'm using Postman with this API:
https://login.microsoftonline.com/<tenand-id>/oauth2/v2.0/token
with payload:
grant_type:password
client_id:****
scope:https://graph.microsoft.com/.default
username:****
password:****
client_secret:***
Can anyone help me with this specific issue or suggest an alternative approach?
In token I receive:
***
"family_name": "**",
"given_name": "**",
"idtyp": "user",
"ipaddr": "**",
"name": "***",
***
How can I add employeeId attribute in token? With this link: [https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-add-attributes-to-token] I add in "Single sign-on" > Attributes & Claim > Add new Claim > added name, Source=Attribute, Advanced SAML token in addition check and Save.
To display employeeid as claim in the access token, check the below:
Use the below PowerShell script to create a policy and to assign to the application:
Connect-AzureAD
$claimsMappingPolicy = [ordered]@{
"ClaimsMappingPolicy" = [ordered]@{
"Version" = 1
"IncludeBasicClaimSet" = $true
"ClaimsSchema" = @(
[ordered]@{
"Source" = "user"
"ID" = "employeeid"
"JwtClaimType" = "employeeid"
}
)
}
}
$appID = "AppID"
$policyName = "Add employeeid to JWT claims"
$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
| Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
$existingPolicies | Remove-AzureADPolicy
}
$policyDefinition = $claimsMappingPolicy | ConvertTo-Json -Depth 99 -Compress
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Note that: Custom claims are displayed only when you generate the token for your application, not another app like Microsoft Graph API. Refer this MsDoc
Hence, Expose an API and add scope like below:
Grant API permissions:
Make sure to update Manifest by setting below values:
"acceptMappedClaims": true
AND
"requestedAccessTokenVersion": 2
For sample, I generated access token using Authorization code (as my tenant has MFA enabled can't use ROPC flow):
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Client ID : ClientId
Client Secret : ClientSecret
Scope: api://ClientID/Claims.Read
When I decoded the token, employeeid claim is successfully displayed:
- Getting a token from Microsoft Intra ID with PostMan using MFA
- MSAL for non-SPA? Server side authentication?
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0
- You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Issue with Azure Automation Account and Key Vault Certificate Retrieval
- OpenAI remove key access while using AAD authentication
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Add tenant specific roles in Azure AD multitenant app
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- How to automatically refresh access token
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- How to get user's attributes from Identity in Blazor Server with organization authentication
- Correlation failed in net.core / asp.net identity / openid connect
- I'm unable to Login to VM with Azure AD user credentials
- I need to add co-organizer in teams meeting through graph api
- Entra ID - Adding actor claim to the token via client credential flow
- Roles for a SPA and API setup in Microsoft Intra ID
- Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation
- How to create dynamic groups in AzureAD/EntraID from a csv import?
- Creating a user in Azure AD B2C through Microsoft SSO
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- How do I connect locally to Azure SQL database with Microsoft Entra ID registered app in C#?
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Error OrganizationFromTenantGuidNotFound and 401 Unauthorized when Sending Email via Microsoft Graph API in React App
- Fetch employee id from from job description properties .NET 8