azure azure-active-directory microsoft-graph-api azureportal microsoft-entra-id

Failed to create a Custom Authentication Extension (TokenIssuanceStart)

I'm trying to create a Custom Authentication Extension in an Entra External ID tenant.

I'm using a user with the Global Administrator role.

Following the official documentation, the Azure Portal (click-click development flow) failed me with an unknown validation error that I found in the Network panel.

{
    "error": {
        "code": "AADB2C90063",
        "message": "There is a problem with the service.",
        "innerError": {
            "correlationId": "e55a7013-2a27-48e2-b500-7e2bae5eea58",
            "date": "2025-05-15T15:32:51",
            "request-id": "dbfc4085-b81e-435f-9a09-d11f0546f500",
            "client-request-id": "dbfc4085-b81e-435f-9a09-d11f0546f500"
        }
    }
}

Steps: Enterprise Applications, then Custom Authentication Extensions, and Create a custom extension. Completed all the fields at all the steps, and hit Create. Then the application was registered. However, the creation of the extensions failed.

I tried the Azure Entra External ID blade and the Microsoft Entra Admin Center. Same result.

Since we're not giving up easily, I got an access token specific to this tenant, ran the Graph API request https://graph.microsoft.com/v1.0/auditLogs/directoryAudits, and got the audit logs.

{
    "id": "B2C_e55a7013-2a27-48e2-b500-7e2bae5eea58_{tenantId}_133917967711438880",
    "category": "PolicyManagement",
    "correlationId": "e55a7013-2a27-48e2-b500-7e2bae5eea58",
    "result": "failure",
    "resultReason": "NA",
    "activityDisplayName": "Validate customExtension authenticationConfiguration",
    "activityDateTime": "2025-05-15T15:32:51.143888Z",
    "loggedByService": "B2C",
    "operationType": "Read",
    "initiatedBy": {
        "app": null,
        "user": {
            "id": "{userId}",
            "displayName": "{userEmail}",
            "userPrincipalName": "{userEmail}",
            "ipAddress": "20.20.34.96",
            "userType": null,
            "homeTenantId": null,
            "homeTenantName": null
        }
    },
    "targetResources": [
        {
            "id": null,
            "displayName": "{tenantName}",
            "type": "Other",
            "userPrincipalName": null,
            "groupType": null,
            "modifiedProperties": []
        }
    ],
    "additionalDetails": [
        {
            "key": "targetTenant",
            "value": "{tenantId}"
        },
        {
            "key": "targetEntityType",
            "value": "Policy"
        },
        {
            "key": "actorIdentityType",
            "value": "UPN"
        },
        {
            "key": "RequestId",
            "value": "e55a7013-2a27-48e2-b500-7e2bae5eea58"
        }
    ]
}

Since this didn't help much, I've tried the Graph API way.

Register an application POST https://graph.microsoft.com/v1.0/applications
Create a service principal POST https://graph.microsoft.com/v1.0/servicePrincipals
Update the application details PUT https://graph.microsoft.com/v1.0/applications/{applicationObjectId}

As a side note, the request in the official documentation was a POST instead of a PUT (create instead of update) and had erroneous Application Permission.

{
    "identifierUris": [
        "api://{Function_Url_Hostname}/{applicationAppId}"
    ],
    "api": {
        "requestedAccessTokenVersion": 2,
        "acceptMappedClaims": null,
        "knownClientApplications": [],
        "oauth2PermissionScopes": [],
        "preAuthorizedApplications": []
    },
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                // Unknown permission
                // { 
                //     "id": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
                //     "type": "Role"
                // },
                // CustomAuthenticationExtension.ReadWrite.All
                {
                    "id": "c2667967-7050-4e7e-b059-4cbbb3811d03",
                    "type": "Role"
                }
            ]
        }
    ]
}

The next step is Register a custom authentication extension POST https://graph.microsoft.com/beta/identity/customAuthenticationExtensions

It fails with a strange error message:

{
    "error": {
        "code": "AADB2C",
        "message": "The application does not have any of the required delegated permissions (CustomAuthenticationExtension.ReadWrite.All) to access the resource. ",
        "innerError": {
            "correlationId": "54d42225-15a2-4ef6-8fab-0335e8e17504",
            "date": "2025-05-19T08:27:51",
            "request-id": "5235b509-61cf-46e2-b1e2-fbbe2fe426fc",
            "client-request-id": "5235b509-61cf-46e2-b1e2-fbbe2fe426fc"
        }
    }
}

I've also tried not the beta version Graph API version https://graph.microsoft.com/v1.0/identity/customAuthenticationExtensions still fails.

From the audit logs:

{
    "id": "B2C_54d42225-15a2-4ef6-8fab-0335e8e17504_{tenantId}_133921168709963190",
    "category": "Authorization",
    "correlationId": "54d42225-15a2-4ef6-8fab-0335e8e17504",
    "result": "failure",
    "resultReason": "Access denied. Client app does not have required app permissions.",
    "activityDisplayName": "Create customAuthenticationExtension",
    "activityDateTime": "2025-05-19T08:27:50.996319Z",
    "loggedByService": "B2C",
    "operationType": "Create",
    "initiatedBy": {
        "app": null,
        "user": {
            "id": "{userId}",
            "displayName": "{userEmail}",
            "userPrincipalName": "{userEmail}",
            "ipAddress": "20.20.34.160",
            "userType": null,
            "homeTenantId": null,
            "homeTenantName": null
        }
    },
    "targetResources": [
        {
            "id": null,
            "displayName": "00000000-0000-0000-0000-000000000000",
            "type": "Other",
            "userPrincipalName": null,
            "groupType": null,
            "modifiedProperties": []
        }
    ],
    "additionalDetails": [
        {
            "key": "targetTenant",
            "value": "00000000-0000-0000-0000-000000000000"
        },
        {
            "key": "targetEntityType",
            "value": "Policy"
        },
        {
            "key": "actorIdentityType",
            "value": "UPN"
        },
        {
            "key": "RequiredPermissions",
            "value": "Delegated_CustomAuthenticationExtensionReadWrite, Application_CustomAuthenticationExtensionReadWrite"
        },
        {
            "key": "RequestId",
            "value": "54d42225-15a2-4ef6-8fab-0335e8e17504"
        }
    ]
}

Just in case, here is the print screen with granted permissions CustomAuthenticationExtension.ReadWrite.All (application and delegated).

Seems like I've tried every documented way. Is there a non-documented way?

Solution

With the support of Microsoft Support team, we've found the problem (and the solution).

The problem is that the Entra External Tenant directory doesn't have the specific service principal that is responsible to provide permissions for a Azure internal application.

They will fix it in the future, however the temporary solution is to create it ourselves.

How to enable the portal

I obtained an access token for the specific tenant

I've used Azure CLI. However, I could've also used Power-Shell.

az account get-access-token \
--resource https://graph.microsoft.com \
--tenant 00001111-2222-3333-4444-555566667777 \
--query accessToken -o tsv

I created the service principal using Graph API (Graph SDK, CURL or any other means to send a HTTP requests, in my case Postman).
POST request to https://graph.microsoft.com/v1.0/servicePrincipals
```
{
  "appId": "99045fe1-7639-4a75-9d4a-577b6ca3810f"
}
```

verified the response to have these fields + values

{
  "appId": "99045fe1-7639-4a75-9d4a-577b6ca3810f",
  "displayName": "Azure Active Directory Authentication Extensions",
  // ... other props ...
}

I could create Custom Authentication Extensions now using UI.

How to enable Graph API

When I run the POST https://graph.microsoft.com/v1.0/identity/customAuthenticationExtensions from the docs I received the The application does not have any of the required delegated permissions (CustomAuthenticationExtension.ReadWrite.All) to access the resource. response. This implies that the access token I used has been issued with a different scope. I've tried several ways to obtain an access token with the scope CustomAuthenticationExtension.ReadWrite.All. Basicaly all the known clients (ex. Azure CLI) don't have this permission (and granted) in the default scopes.

To obtain this access token:

(I've used the portal for this) I had to create MyCustomAuthenticationExtensionCreatorApp
I've added the CustomAuthenticationExtension.ReadWrite.All Application Permissions and granted it Admin consent.
I've added a Client secret
Obtained an access token using the new the app
POST https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token
ContentType: application/x-www-form-urlencoded
```
  grant_type = client_credentials
  client_id = {{appClientId}}
  client_secret = {{appClientSecret}}
  scope = https://graph.microsoft.com/.default
```
ran the POST https://graph.microsoft.com/v1.0/identity/customAuthenticationExtensions from the oficial documentation just fine.

P.S. Given the short time I had, I couldn't find a way to obtain an access token with a custom scope granting the delegated permission CustomAuthenticationExtension.ReadWrite.All. However, I suspect there should be a posibility. That way I wouldn't need to registed an application and grant it special permissions.