Edit

Microsoft identity platform OIDC extensibility reference

Use this reference to find every supported way to extend Microsoft identity platform OpenID Connect (OIDC) behavior. Each row links to the concept or how-to article in this repo and to the Microsoft Graph API resource that programs the surface.

Extensibility refers to changing how Microsoft Entra issues OIDC tokens or processes OIDC requests for apps you own — for example, adding claims from an external store, customizing token contents per app, or trusting tokens from external workload identities. Configuring an existing OIDC app (such as GitHub, Salesforce, or another SaaS app) to use Microsoft Entra for sign-in is integration, not extensibility. For app integration guidance, see Microsoft Entra application gallery.

For the underlying endpoint contracts, see OpenID Connect on the Microsoft identity platform.

Extensibility surfaces at a glance

Capability What it lets you do Concept and how-to Microsoft Graph API
Custom claims provider Call an external REST API during token issuance to enrich tokens with claims from a remote store. Custom claims provider overview, Reference customAuthenticationExtension, onTokenIssuanceStartListener
Token issuance start event Configure the event listener that triggers your custom claims provider during token issuance. Set up token issuance start event, Configure onTokenIssuanceStartCustomExtension, onTokenIssuanceStartHandler, onTokenIssuanceStartReturnClaim
Optional claims Add Microsoft Entra-sourced claims (such as groups, idtyp, login_hint) to ID, access, and SAML tokens. Provide optional claims to your app, Reference optionalClaim, optionalClaims on application
Custom claims policy (per-app) Map directory attributes to claims in tokens issued for a specific app, including transformations. JWT claims customization, SAML claims customization, Custom claims policy customClaimsPolicy, claimsMappingPolicy
Token lifetime policy Configure access, refresh, and ID token lifetimes for an app or tenant. Configurable token lifetimes, Configure tokenLifetimePolicy
Token issuance policy Configure SAML token signing and encryption behavior at issuance. SAML claims customization tokenIssuancePolicy
Federated identity credentials Trust tokens from external issuers (GitHub, Kubernetes, other clouds) instead of using a client secret or certificate. Workload identity federation federatedIdentityCredential, Federated identity credentials overview
Application manifest Declaratively configure redirect URIs, audiences, allowed grant types, and token settings. Application manifest reference application, servicePrincipal
Delegated permission grants Authorize delegated scopes for a user or tenant. Permissions and consent overview oAuth2PermissionGrant
App role assignments Assign app roles to users, groups, or service principals for token-based authorization. App roles overview appRoleAssignment
Continuous access evaluation (CAE) Enable token revocation in near real time for events such as user sign-out, password change, and risk detection. Continuous access evaluation conditionalAccessPolicy
Claims challenge (step-up) Request stronger authentication or fresher claims mid-session. Claims challenges, Claims validation N/A (protocol-level; signaled in the claims request parameter)

Choosing an extensibility surface

Use the following guidance to decide which surface fits your scenario:

Programming model

Most surfaces in the table are configured through the Microsoft Graph application and servicePrincipal resources or through the policies endpoint. Authentication libraries don't configure these surfaces; use Microsoft Graph SDKs, the Microsoft Graph PowerShell SDK, or direct REST calls.

For an end-to-end example that combines a custom authentication extension with a token issuance start event, see Configure a custom claim provider with a token issuance start event.