Adding custom claim to id token based on group ownership existence on Azure AD

Dawid Dudek 1 Reputation point
2022-10-17T10:04:15.633+00:00

I have an (external to Azure) company application to integrate with AzureAD through OIDC. The requirement is to add a custom claim to id_token with a list of groups where the user is an owner in AD.

For example if the user is in the owner of group with id = "123abc", I need to add the following custom claim to id_token.

"ownedGroups": ["123abc"]

If this is not possible is there at least option to add sth like this

"hasOwnedGroups": true

I could not find any relevant example for this in docs. Can you share an example for doing this? If this is not possible in the exactly same way, I 'd like to know the alternative solution for putting information about ownership in id token.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,815 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 96,836 Reputation points MVP
    2022-10-17T12:52:05.95+00:00

    You will have to create a custom directory extension (property) and map it's value to a custom claim, as there's nothing built-in you can use for this scenario. The process is covered here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-directory-extension-optional-claims

    2 people found this answer helpful.
    0 comments No comments