Does Azure's EntraID support dynamic custom claims?

I need to dynamically add a custom claim to a token requested from EntraId for intra-application authentification.

I have an azure api management (apim) instance that authenticates a client request via the given subscription key. The subscription key is linked to a product and i need to pass on this product information to my backend api, which is a data-api-builder (dab) instance. Dab accepts jwt authentication and accepts custom roles if they are present in the jwt and the X-MS-API-ROLE header.

Hence my idea was to have apim request a token (client_credentials flow) from EntraId with the custom role claim dynamically set in the request and pass on the token.

<set-body>@{
    return "client_id={client_id}" + 
           "&client_secret={client_secret}" + 
           "&scope=api://{app_id}/.default" + 
           "&grant_type=client_credentials" + 
           "&claims=" + Uri.EscapeDataString("{\"roles\":\"" + context.Variables["productId"] + "\"}");
}</set-body>

Unfortunately, it seems that, while entraid does issue a token with the correct audience, my custom claims are simply omitted. My research seems to indicate that the client_credentials grant type does not support custom claims. Is this correct?

How could I work around this limitation of the identity provider?

Note that: If you are making use of Client Credential flow, then you cannot configure custom claims or dynamic custom claims.

• Claims like displayname, objectid and tags can only be used in the custom mapping policy for client credential flow.

If you want to add the above claims, then check the below:

Create a policy:

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"ClaimsSchema":[
{"Source": "application","ID": "DisplayName","JwtClaimType": "AppName"}]}}') -DisplayName "Claim-displayname" -Type "ClaimsMappingPolicy"

Assign the policy to Service Principal:

Add-AzureADServicePrincipalPolicy -Id SPObjID -RefObjectId PolicyID

Generated token via client credential flow:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope↵:api://xxx/.default
grant_type:client_credentials

When decoded the token, custom claim is displayed:

• As you want the claims to be added dynamically by APIM on request to Entra ID, then you need to configure a custom identity provider.

Reference:

using client credential flow, how can I add a custom claim to the access token - Microsoft Q&A by Shweta Mathur.