Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use this reference to find every supported way to extend Microsoft identity platform OpenID Connect (OIDC) behavior. Each row links to the concept or how-to article in this repo and to the Microsoft Graph API resource that programs the surface.
Extensibility refers to changing how Microsoft Entra issues OIDC tokens or processes OIDC requests for apps you own — for example, adding claims from an external store, customizing token contents per app, or trusting tokens from external workload identities. Configuring an existing OIDC app (such as GitHub, Salesforce, or another SaaS app) to use Microsoft Entra for sign-in is integration, not extensibility. For app integration guidance, see Microsoft Entra application gallery.
For the underlying endpoint contracts, see OpenID Connect on the Microsoft identity platform.
Extensibility surfaces at a glance
| Capability | What it lets you do | Concept and how-to | Microsoft Graph API |
|---|---|---|---|
| Custom claims provider | Call an external REST API during token issuance to enrich tokens with claims from a remote store. | Custom claims provider overview, Reference | customAuthenticationExtension, onTokenIssuanceStartListener |
| Token issuance start event | Configure the event listener that triggers your custom claims provider during token issuance. | Set up token issuance start event, Configure | onTokenIssuanceStartCustomExtension, onTokenIssuanceStartHandler, onTokenIssuanceStartReturnClaim |
| Optional claims | Add Microsoft Entra-sourced claims (such as groups, idtyp, login_hint) to ID, access, and SAML tokens. |
Provide optional claims to your app, Reference | optionalClaim, optionalClaims on application |
| Custom claims policy (per-app) | Map directory attributes to claims in tokens issued for a specific app, including transformations. | JWT claims customization, SAML claims customization, Custom claims policy | customClaimsPolicy, claimsMappingPolicy |
| Token lifetime policy | Configure access, refresh, and ID token lifetimes for an app or tenant. | Configurable token lifetimes, Configure | tokenLifetimePolicy |
| Token issuance policy | Configure SAML token signing and encryption behavior at issuance. | SAML claims customization | tokenIssuancePolicy |
| Federated identity credentials | Trust tokens from external issuers (GitHub, Kubernetes, other clouds) instead of using a client secret or certificate. | Workload identity federation | federatedIdentityCredential, Federated identity credentials overview |
| Application manifest | Declaratively configure redirect URIs, audiences, allowed grant types, and token settings. | Application manifest reference | application, servicePrincipal |
| Delegated permission grants | Authorize delegated scopes for a user or tenant. | Permissions and consent overview | oAuth2PermissionGrant |
| App role assignments | Assign app roles to users, groups, or service principals for token-based authorization. | App roles overview | appRoleAssignment |
| Continuous access evaluation (CAE) | Enable token revocation in near real time for events such as user sign-out, password change, and risk detection. | Continuous access evaluation | conditionalAccessPolicy |
| Claims challenge (step-up) | Request stronger authentication or fresher claims mid-session. | Claims challenges, Claims validation | N/A (protocol-level; signaled in the claims request parameter) |
Choosing an extensibility surface
Use the following guidance to decide which surface fits your scenario:
- To add claims sourced from Microsoft Entra ID, use optional claims or a custom claims policy.
- To add claims sourced from an external system, use a custom claims provider backed by an Azure Functions endpoint or other REST API.
- To trust an external workload identity instead of using a client secret or certificate, configure a federated identity credential.
- To react to security events (revoked sessions, risk changes, password resets) on existing tokens, enable continuous access evaluation.
- To request fresher authentication during a session, issue a claims challenge.
Programming model
Most surfaces in the table are configured through the Microsoft Graph application and servicePrincipal resources or through the policies endpoint. Authentication libraries don't configure these surfaces; use Microsoft Graph SDKs, the Microsoft Graph PowerShell SDK, or direct REST calls.
For an end-to-end example that combines a custom authentication extension with a token issuance start event, see Configure a custom claim provider with a token issuance start event.