Custom claims provider (TokenIssuanceStart) not invoked during External ID user sign-in — endpoint receives zero requests despite ClaimsMappingPolicy attached

Question

Custom claims provider (TokenIssuanceStart) not invoked during External ID user sign-in — endpoint receives zero requests despite ClaimsMappingPolicy attached

Tony Garrett 0

UPDATE (after extensive Graph-side verification):

POST /identity/customAuthenticationExtensions/validateAuthenticationConfiguration

returns { errors: [], warnings: [] } for the current configuration.

GET /servicePrincipals/{id}/claimsMappingPolicies returns the policy

correctly attached.

GET /identity/authenticationEventListeners shows the TokenIssuanceStart

listener registered with the correct customExtension reference.

The sign-in flow now correctly requests an access-token scope

(api://{api-app-id}/SDLC.Access) so TokenIssuanceStart should fire.

However:

App Insights Live Metrics confirms zero inbound requests to the endpoint during sign-in.
jwt.ms shows AADSTS1100001 / 1003011 with handler numberOfAttempts=0.
Microsoft's own validateAuthenticationConfiguration endpoint returns no errors or warnings for this exact configuration.

New correlation IDs:

xxxxxxxx (00:07:24 UTC, 2026-05-21)
xxxxxxxxx (00:18:11 UTC, 2026-05-21)

What configuration step might cause numberOfAttempts=0 while the

configuration validator returns no errors? Is there a tenant-level

consent or first-party service principal permission grant that isn't

surfaced in either the portal or the validator that's required before

TokenIssuanceStart custom extensions will fire in CIAM tenants?

Summary

Microsoft Entra External ID custom authentication extension registered for

the TokenIssuanceStart event is not being invoked during user sign-in. The

endpoint is reachable and returns 200 on direct POST, but App Insights and

the App Service raw HTTP log show zero inbound requests during real sign-ins.

Three successful sign-ups through the published user flow have issued tokens

without ever calling the enrichment endpoint.

Environment

Tenant type: Microsoft Entra External ID (workforce-style customer tenant)
Application: ASP.NET Core 9 API on Azure App Service
Endpoint: HTTPS, public, validates OAuth bearer per Microsoft docs
Direct POST to the endpoint with a valid bearer returns 200 with a properly shaped onTokenIssuanceStart response (verified with curl)

Configuration verified

Custom authentication extension registered, event type TokenIssuanceStart
Extension references a separate app registration as the resource app
acceptMappedClaims=true set on the API application manifest
ClaimsMappingPolicy created with the claim schema entry pointing at the custom claims provider
ClaimsMappingPolicy attached to the API's service principal via Microsoft Graph (the Azure portal UI does not persist OIDC policy assignment, so Graph was required)
App registration has the required API permissions and admin consent granted
The 99045fe1-... first-party service principal is present in the tenant
Custom extension's app has the CustomAuthenticationExtension.Receive.Payload permission consented

Observed behavior

During real user sign-in through the user flow:

Sign-in completes and a token is issued
The token contains the user's standard claims
The token does NOT contain the claim that should have been added by the custom claims provider
App Insights for the endpoint's App Service shows zero requests during the sign-in window
App Service raw HTTP log (Diagnose and solve problems → Web app down / Application Logs) also shows zero inbound requests
Sign-in Diagnostic for the affected sign-ins returns no actionable guidance
The "azureSubErrorCode" field in the diagnostic UI renders as the literal placeholder string {azureSubErrorCode} rather than an actual sub-code, which appears to be a portal bug

Error codes observed where present

AADSTS1100001
AADSTS1003011

Ruled out

requestedAccessTokenVersion: External ID forces v2, no override needed
Missing first-party SP (99045fe1-...): present in tenant
Microsoft Graph permission gap: consent granted, verified
Missing claims-mapping policy: policy exists and is attached via Graph
Missing event listener registration: registered and visible in the portal
App Insights sampling hiding requests: ruled out via raw HTTP log

Questions

What additional configuration could cause the TokenIssuanceStart event listener to silently no-op for a properly-registered custom claims provider with a Graph-attached ClaimsMappingPolicy?
Is there a tenant-level toggle, feature flag, or licensing requirement for custom claims providers in External ID that is not surfaced in the public docs?
Are AADSTS1100001 and AADSTS1003011 documented anywhere with externally-actionable guidance? The current Sign-in Diagnostic does not surface a sub-code.
What is the supported way to verify, end-to-end, that a custom claims provider is being invoked at all during a user flow sign-in (short of waiting for log entries that never arrive)?

Any pointer to additional diagnostic surfaces I have not checked would be

appreciated.

Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-20T23:42:50.2833333+00:00
Hello Tony Garrett,

From the details shared, the configuration looks correct overall: the endpoint is reachable, direct POST requests succeed, the extension is registered, the ClaimsMappingPolicy is attached through Microsoft Graph, and the required permissions and consent are present.

The main issue is that no requests reach the endpoint during actual sign-ins, which suggests the custom claims provider is not being invoked during token issuance.

Please verify whether the token being tested is an access token for the API where the ClaimsMappingPolicy is attached, or only an ID token for the client application. If only an ID token is issued, the policy may not be evaluated for the API service principal.

You can test with an explicit API scope such as:

scope=openid profile api://<api-app-id>/<scope-name>

It may also help to verify the bindings directly through Microsoft Graph:

GET /servicePrincipals/{id}/claimsMappingPolicies

GET /identity/authenticationEventListeners

Please confirm the listener is enabled, the event type is TokenIssuanceStart, and the expected application/service principal is referenced.

AADSTS1100001 and AADSTS1003011 do not currently have detailed public documentation. The {azureSubErrorCode} value shown in diagnostics also appears to be a portal-side issue rather than a usable sub-code.
Tony Garrett 0 Reputation points

2026-05-21T00:29:50.2466667+00:00
UPDATE (after extensive Graph-side verification):

POST /identity/customAuthenticationExtensions/validateAuthenticationConfiguration

returns { errors: [], warnings: [] } for the current configuration.

GET /servicePrincipals/{id}/claimsMappingPolicies returns the policy

correctly attached.

GET /identity/authenticationEventListeners shows the TokenIssuanceStart

listener registered with the correct customExtension reference.

The sign-in flow now correctly requests an access-token scope

(api://{api-app-id}/SDLC.Access) so TokenIssuanceStart should fire.

However:

App Insights Live Metrics confirms zero inbound requests to the endpoint during sign-in.

jwt.ms shows AADSTS1100001 / 1003011 with handler numberOfAttempts=0.

Microsoft's own validateAuthenticationConfiguration endpoint returns no errors or warnings for this exact configuration.

What configuration step might cause numberOfAttempts=0 while the

configuration validator returns no errors? Is there a tenant-level

consent or first-party service principal permission grant that isn't

surfaced in either the portal or the validator that's required before

TokenIssuanceStart custom extensions will fire in CIAM tenants?
Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-22T21:40:24.7166667+00:00
Hello Tony Garrett,

Thanks for the update. From what you’ve described, your configuration appears correct: the validator shows no errors, the ClaimsMappingPolicy is attached, the listener is registered, and the sign-in flow requests an access token for the API.

The fact that App Insights shows zero inbound requests and the token shows AADSTS1100001 / 1003011 with numberOfAttempts=0 indicates that the extensibility pipeline is not invoking your listener at all.

In CIAM/External ID tenants, this can happen due to tenant-level requirements that aren’t surfaced in the validator or portal, such as:

First-party service principal: The Microsoft first-party SP (99045fe1-…) must exist and be properly configured. Missing or misconfigured SPs can prevent TokenIssuanceStart from firing.

Extension app consent: The CustomAuthenticationExtension.Receive.Payload permission must be granted and fully recorded in the tenant. Partial consent may pass the validator but still block execution.

Tenant-level restrictions or feature flags: Certain CIAM tenants may have settings that silently block custom claims extensions.

Since numberOfAttempts=0, this is likely a tenant-level or backend enforcement issue rather than a misconfiguration of your extension or policy.

Your API’s acceptMappedClaims=true setting is correct and not the cause.

1 answer

Your answer

Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-20T23:42:50.2833333+00:00

Hello Tony Garrett,

From the details shared, the configuration looks correct overall: the endpoint is reachable, direct POST requests succeed, the extension is registered, the ClaimsMappingPolicy is attached through Microsoft Graph, and the required permissions and consent are present.

The main issue is that no requests reach the endpoint during actual sign-ins, which suggests the custom claims provider is not being invoked during token issuance.

Please verify whether the token being tested is an access token for the API where the ClaimsMappingPolicy is attached, or only an ID token for the client application. If only an ID token is issued, the policy may not be evaluated for the API service principal.

You can test with an explicit API scope such as:

scope=openid profile api://<api-app-id>/<scope-name>

It may also help to verify the bindings directly through Microsoft Graph:

GET /servicePrincipals/{id}/claimsMappingPolicies

GET /identity/authenticationEventListeners

Please confirm the listener is enabled, the event type is TokenIssuanceStart, and the expected application/service principal is referenced.

AADSTS1100001 and AADSTS1003011 do not currently have detailed public documentation. The {azureSubErrorCode} value shown in diagnostics also appears to be a portal-side issue rather than a usable sub-code.
Tony Garrett 0 Reputation points

2026-05-21T00:29:50.2466667+00:00

UPDATE (after extensive Graph-side verification):

POST /identity/customAuthenticationExtensions/validateAuthenticationConfiguration

returns { errors: [], warnings: [] } for the current configuration.

GET /servicePrincipals/{id}/claimsMappingPolicies returns the policy

correctly attached.

GET /identity/authenticationEventListeners shows the TokenIssuanceStart

listener registered with the correct customExtension reference.

The sign-in flow now correctly requests an access-token scope

(api://{api-app-id}/SDLC.Access) so TokenIssuanceStart should fire.

However:

App Insights Live Metrics confirms zero inbound requests to the endpoint during sign-in.

jwt.ms shows AADSTS1100001 / 1003011 with handler numberOfAttempts=0.

Microsoft's own validateAuthenticationConfiguration endpoint returns no errors or warnings for this exact configuration.

What configuration step might cause numberOfAttempts=0 while the

configuration validator returns no errors? Is there a tenant-level

consent or first-party service principal permission grant that isn't

surfaced in either the portal or the validator that's required before

TokenIssuanceStart custom extensions will fire in CIAM tenants?
Sridevi Machavarapu 31,585 Reputation points Microsoft External Staff Moderator

2026-05-22T21:40:24.7166667+00:00

Hello Tony Garrett,

Thanks for the update. From what you’ve described, your configuration appears correct: the validator shows no errors, the ClaimsMappingPolicy is attached, the listener is registered, and the sign-in flow requests an access token for the API.

The fact that App Insights shows zero inbound requests and the token shows AADSTS1100001 / 1003011 with numberOfAttempts=0 indicates that the extensibility pipeline is not invoking your listener at all.

In CIAM/External ID tenants, this can happen due to tenant-level requirements that aren’t surfaced in the validator or portal, such as:

First-party service principal: The Microsoft first-party SP (99045fe1-…) must exist and be properly configured. Missing or misconfigured SPs can prevent TokenIssuanceStart from firing.

Extension app consent: The CustomAuthenticationExtension.Receive.Payload permission must be granted and fully recorded in the tenant. Partial consent may pass the validator but still block execution.

Tenant-level restrictions or feature flags: Certain CIAM tenants may have settings that silently block custom claims extensions.

Since numberOfAttempts=0, this is likely a tenant-level or backend enforcement issue rather than a misconfiguration of your extension or policy.

Your API’s acceptMappedClaims=true setting is correct and not the cause.

Answer 1

For a TokenIssuanceStart custom authentication extension that never fires, the supported diagnostics and configuration checks are limited to what is surfaced through the extension configuration, REST API validation, and Microsoft Entra sign-in logs.

From the documented behavior:

When a custom claims provider is configured for token issuance, Microsoft Entra ID calls the configured REST API during the OnTokenIssuanceStart event, just before issuing the token to the application.
If the REST API call fails or times out, the sign-in fails and the user/app receives a generic error; detailed error information is only visible in the sign-in logs.
If the REST API is never called, there will be no corresponding entries in the REST API’s own logs, but the sign-in logs still show the authentication event information for the extension when it is invoked.

Given that the endpoint works when called directly and returns a valid onTokenIssuanceStart response, the remaining supported diagnostics and configuration checks are:

Verify that the extension is actually being invoked via sign-in logs
- Go to Microsoft Entra admin center → Entra ID → Enterprise apps → Sign-in logs.
- Open a sign-in that should have triggered the custom extension.
- Select the Authentication Events tab.
- Confirm whether there is an entry for the custom authentication extension call (including HTTP status, error code, execution duration, and retry count).
- If there is no Authentication Events entry at all for the extension, Entra ID did not attempt to call the REST API for that sign-in.
Use sign-in logs + Azure Monitor for ongoing verification
- Because the REST API call is fully controlled by Entra ID, the supported way to verify end-to-end invocation is via the Authentication Events data in sign-in logs.
- Sign-in logs can be integrated with Azure Monitor to set alerts (for example, when the number of extension errors exceeds a threshold) and to visualize extension call volume over time.
- This is the supported mechanism to confirm that the extension is being invoked during real user flows, beyond the REST API’s own logging.
Call the REST API directly with a token issued for the extension’s app registration
- To validate that the REST API is correctly protected and accepts tokens issued for the extension’s resource app, obtain an access token using the documented client credentials flow:
  - In Entra admin center, locate the Azure Functions authentication events API (or equivalent) app registration used as the resource for the extension.
  - Create a client secret if needed.
  - Copy the Application ID URI from Expose an API.
  - Request a token from https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token with:
    - grant_type=client_credentials
    - client_id = app’s client ID
    - client_secret = app’s secret
    - scope = {Application ID URI}/.default
  - Decode the token (for example, with https://jwt.ms) and confirm:
    - iss matches the issuer configured in the API
    - aud matches the client ID configured in the API
- This confirms that the API protection and token validation logic match what Entra ID will use when invoking the extension.
Performance and timeout considerations
- If the REST API is invoked but does not respond within the two-second timeout, Entra ID retries and then fails the authentication if all retries time out.
- To avoid silent failures due to timeouts:
  - Cache access tokens for downstream APIs used by the extension.
  - Add detailed logging around calls to downstream services and measure their latency.
  - Use an Azure Functions Premium or Dedicated plan (or equivalent always-warm hosting) so the API is not cold-starting during sign-in.
- Use API testing tools and automated integration tests to validate that the extension API consistently responds within the required time window.
Troubleshooting flow for a non-invoked extension
- Confirm the extension is configured for OnTokenIssuanceStart and associated with the correct application.
- Confirm the REST API is reachable and returns a valid response when called with a proper bearer token (already done).
- Use sign-in logs → Authentication Events to verify whether Entra ID is attempting to call the extension at all.
- If Authentication Events show no entry for the extension for any sign-in, the issue is in how the extension is wired into the user flow or application, not in the REST API itself.
- If Authentication Events show entries with errors, use the HTTP status, error code, and duration from those entries to guide further debugging.

Regarding the specific error codes (AADSTS1100001, AADSTS1003011), tenant-level toggles, or undocumented feature flags/licensing for External ID custom claims providers, there is no additional actionable information in the provided documentation beyond using sign-in logs and the above diagnostics. The documented and supported way to verify invocation is via Microsoft Entra sign-in logs → Authentication Events, combined with the REST API’s own logging and performance testing.

References:

Share via

Custom claims provider (TokenIssuanceStart) not invoked during External ID user sign-in — endpoint receives zero requests despite ClaimsMappingPolicy attached

Summary

Environment

Configuration verified

Observed behavior

Error codes observed where present

Ruled out

Questions

1 answer

Your answer