This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 13%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
I'm trying to use Custom Authentication Extensions in an Azure External ID (CIAM) tenant but cannot create extensions despite having proper permissions.
Tenant Type: Azure External ID (CIAM) Tenant ID: 685b0e61-9989-4252-8f1b-993dc4859f4d
What Works:
/v1.0/identity/customAuthenticationExtensions succeed (returns empty array)/v1.0/identity/authenticationEventListeners succeed (returns empty array)CustomAuthenticationExtension.ReadWrite.All application permissionWhat Fails:
/v1.0/identity/customAuthenticationExtensions succeed (returns empty array)/v1.0/identity/authenticationEventListeners succeed (returns empty array)CustomAuthenticationExtension.ReadWrite.All application permission"code": "AADB2C",
"message": "The custom extension should be of subtype of CustomAuthenticationExtension"
Steps to Reproduce:
CustomAuthenticationExtension.ReadWrite.All (application permission)https://graph.microsoft.com/v1.0/identity/customAuthenticationExtensionsQuestion: Is there a tenant-level feature flag that needs to be enabled for CIAM tenants to create Custom Authentication Extensions? The Portal UI doesn't show "Custom authentication extensions" menu item in the Security blade for CIAM tenants either.
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Rick Gregory,
It sounds like you're running into some snags trying to create Custom Authentication Extensions in your Azure CIAM tenant. Let's break down the situation.
It appears that your GET requests are working just fine, which means your setup is partially correct. However, you're facing validation errors when performing a POST to create the custom authentication extension. The error message you're seeing — "The custom extension should be of subtype of CustomAuthenticationExtension" — usually indicates that the structure or type of the data you're sending doesn't match the expected format.
Here are some steps you can take to troubleshoot this issue:
Check the Request Body: Ensure that the structure of your POST request complies with the expected schema for creating a Custom Authentication Extension. The JSON payload should correctly reflect the subtype required by Microsoft Entra.
Review Resource Types: Verify that you are using the correct resource types and properties that relate to your extension. Make sure to define any necessary properties that align with the specifications outlined in the documentation.
Tenant-Level Feature Flags: As you mentioned wondering if there's a tenant-level feature flag needed to utilize Custom Authentication Extensions, it's essential to confirm if your tenant has specific configurations or restrictions. Azure may require enabling certain features or settings for CIAM tenants to use this functionality.
Utilize Examples: Sometimes looking at example requests can clarify the structure you're supposed to follow. Check any official examples and try to structure your POST request similarly.
To help you better, here are a few clarifying questions:
Looking forward to your response, and hopefully, we can get this sorted out!
Thank you for the response! I appreciate the help. The last Reference Link above returns 404. Here are answers to your questions:
1. JSON Payload Used:
I've tested multiple payload structures. Here's the most recent attempt:
{
"@odata.type": "#microsoft.graph.onTokenIssuanceStartCustomExtension",
"displayName": "EntPOWEREDGraph-Passkey-Auth",
"description": "FIDO2 passkey authentication with IDP abstraction",
"endpointConfiguration": {
"@odata.type": "#microsoft.graph.httpRequestEndpoint",
"targetUrl": "https://fa-entpg-patient-dev.azurewebsites.net/api/ciam/auth-extension"
},
"claimsForTokenConfiguration": [
{
"claimIdInApiResponse": "passkey_available"
},
{
"claimIdInApiResponse": "authentication_method"
}
]
}
This resulted in: "The 'authenticationConfiguration' field is invalid in request. "When I added authenticationConfiguration with azureAdTokenAuthentication, I got: "The custom extension should be of subtype of CustomAuthenticationExtension".
2. Documentation Review:
I've reviewed the official documentation, but it largely covers workforce tenants. The examples that I have seen don't specify CIAM-specific requirements or limitations.
3. Additional Context:
Error Code Pattern: All errors return code "AADB2C" (not standard Graph API errors)
Azure Portal UI: The "Custom authentication extensions" menu doesn't appear in Security blade for CIAM tenants (it exists in workforce Entra ID)
App Registration: App ID (available if needed) with CustomAuthenticationExtension.ReadWrite.All application permission, admin-consented
I also have correlation IDs if they would be helpful.
4. Permissions Confirmed:
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 49%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
The only CIAM custom extensions are under "External Identities | Custom authentication extensions".
You mention "FIDO2 passkey authentication"?
Passkeys are not supported in CIAM.
RoryB,
I wanted to follow up and thank you for your guidance on the Custom Authentication Extension implementation. Your direction confirmed to me the features availability in the CIAM tenant and was exactly what was needed to move forward.
Following your advice, I've successfully registered the Custom Authentication Extension in the CIAM tenant with TokenIssuanceStart event type. I created the Authentication Event Listener via Microsoft Graph API and connected it to the application, configured OAuth 2.0 Authentication with proper API scopes, pre-authorized the Azure AD Authentication Extensions service, and granted admin consent. Deployed and verified the endpoint is reachable and returns the correct response schema per Microsoft Graph documentation. The configuration is now in-place and the infrastructure is ready.
I am currently seeing error code 1003002 during token issuance after Email OTP authentication completes. Interestingly, the endpoint responds correctly when tested directly, and Application Insights shows no requests reaching it, which suggests CIAM may be encountering an issue before successfully making the call. I continue to investigate the validation logic in our endpoint code.
Nevertheless, i wanted to thank you again for your timely assistance and for confirming the feature availability. It made all the difference in our implementation!
Best regards