How to add a parameterized scope or a custom authorization claim about a user to an access token in Azure AD

Olingi 21 Reputation points
2022-12-02T12:54:04.113+00:00

I have a web app registered as an enterprise application in an azure ad tenant that signs in users and calls my own downstream api also registered in the tenant, to access data that my company owns (not the user). Each user should only be able to access data based on information we've given them in our tenant about their organization (or a provinceID their organization belongs to), but I haven't found a way to add this information to an access token my api can then use to "scope" the data. I was imagining preferrably something along the lines of parameterized scopes, f.ex. myapi.read:province or myapi.read:organizationID. This would be similar to the way IdentityServer implements it: https://docs.duendesoftware.com/identityserver/v5/fundamentals/resources/api_scopes/#parameterized-scopes
If not as a scope, then just add this custom claim/attribute belonging to the user to the access token (This was very simple when we were using IdentityServer).
Everything I've looked into just lets me add some predefined optional claims to the token, or when reading about extension attributes, I read in the docs that they should not be used for authorization for some reason, which this is in my use case.
I'm very reluctant to create groups for every value these claims could have and I don't see a difference from a security standpoint between adding a group describing the province/organization to a token vs. my custom claim about the user to the token.
I have also looked at the custom security attributes (which are in preview as of this writing) which seemed to address my issue, but they only seem to work for specific azure solutions like blob storages, and not a custom api, maybe I'm wrong on this. I think I read somewhere in the docs that I can indeed call the Graph api to get these user attributes (with the access token), but I also read that this information should not be persisted for some reason which means I would be calling Graph api for every single request which seems like overkill.
I also would prefer not to create an application specific database that "duplicates" user information and maps to an organization/province for every application we create that uses this information. This would just mean we have to create a web app to deal with this duplicate user registration, and then we would just create something centralized anyway which I was hoping Azure AD would solve in the first place.

Maybe I've missed something here or misunderstood the docs and this is indeed possible, or I'm just going in the wrong direction with this completely, or maybe I need another solution. Can anyone point me in the right direction with this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,681 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,461 Reputation points Microsoft Employee
    2022-12-06T23:12:34.553+00:00

    @Olingi
    Thank you for your post and I apologize for the delayed response!

    Environment:

    • You have a Web App registered as an Enterprise App within your Azure AD tenant
    • Users use this App to sign in
    • The App calls another API within your Azure AD tenant to access data after the user signs in.
    • Each user should be able to access this data based on the information your tenant provided.

    ----------------------------------

    Issue:
    From our documentation, you haven't found a way to add this info (i.e. custom claim) to the user's Access Token so that your API can use this to scope (I'm assuming query) the data available to the user.

    Findings:
    When it comes to Customize claims emitted in tokens for a specific app in a tenant, you should be able to do this by following our Custom Claims to a user's Access Token (jwt) documentation. Please keep in mind that claims customization supports configuring claim-mapping policies for the WS-Fed, SAML, OAuth, and OpenID Connect protocols. For more info - Customize claims emitted in tokens - Get started. 

    {  
  "ClaimsMappingPolicy":  
    {   
      "Version":1,  
      "IncludeBasicClaimSet":"true",   
      "ClaimsSchema":[{"value":"myConstantValue","JwtClaimType":"myClaim"}]  
    }  
}

    Additional Links:
    Azure AD - Custom Claims in Access Tokens - This related issue details an example of how to get the claims (constant names and values) every time an access token is requested.
    Azure AD - add custom claim to access token - This thread details adding a custom "prn" claim to the token.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest