Custom Claims in a Multitenant Microsoft Entra App
I have a "multitenant and personal" Entra app that should allow users with all kinds of Microsoft accounts to log into it.
I need to add some custom claims to the ID token returned by this app (specifcially, the user.jobtitle and user.officelocation claims). I've done this by adding "Additional Claims" for the app in question in the Microsoft Entra Admin Center, as detailed here. The configuration looks like so:
Since this is a multitenant app, I have to configure custom signing keys as detailed here. I've done that with the Microsoft-provided Powershell script.
With these configurations in place, I can now get an OIDC ID token. However, there's a major limitation.
The ID token only includes the new custom claims for users in the same tenant that the app exists. i.e. if the app is in tenant aaaa-....-aaaa and I authenticate using a Microsoft account (that has values for the Job Title and Office Location properties) in tenant aaaa-...-aaaa, the values are included as claims in the ID token. But, if I authenticate using a Microsoft account (that also has these same properties populated) from tenant bbbb-...-bbbb, these claims are not included.
I cannot figure out why; it's a multi-tenant app and the custom claims are configured on the app itself, not on the Entra user directory or something else that would be specific to my tenant.
How can I get these custom claims for users from all tenants, instead of just my own?
For sample, I created a Multitenant application and added custom claims like below:
I generated tokens via Postman:
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID : ClientID
Client Secret : ClientSecret
Scope: api://ClientID/.default openid
I signed in with the home tenant user that is the user exists in the tenant where the app resides, and I got the claims successfully:
ID Token:
Now when I tried to sign in with other tenant user, claims are not displayed:
ID Token:
Note that: Custom claims are tenant specific by default. If the claims are created in the
TenantAthen only the users residing inTenantAwill get the claims in token.
- Every tenant has its own set of claims and attribute mappings and hence claims configured in one tenant might not be available in another tenant.
To resolve the issue, you need to add the claims in the Enterprise application or Service Principal created in the other tenant like below:
Now the custom claims are displayed successfully for another tenant user too:
The claims are displayed in access token too.
Reference:
- I suspect "aud" invalid error is due to api entry point domain is different from one provided in aud claim
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- AccountEnabled user property from Azure AD returning null
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C
- Custom Claims in a Multitenant Microsoft Entra App
- Get error "You do not have elevated access" when try to postpone MFA enforcement
- How to bulk create/import users in Azure AD so that all of them can have single sign on to my SF sandbox?
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- Azure AD Authentication 401 error "the audience is invalid" AddAzureADBearer .Net Core Web Api
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- How to get users info list from Azure AD app by calling Microsoft Graph API from ASP.NET Core Web API?