Azure AD - Custom Claims in Access Tokens

Question

Hello,

we have the requirement to add custom claims to access_tokens (jwt).
The claims (constant names and values) should be defined per app. Every time an access_token for the app is requested the claims should be added to the token.
Is it possible to define such claims for an app?

Thank You.

Regards,
Thorsten

Answer 1

You can create a custom claim mapping policy with a definition similar to this:

   {  
     "ClaimsMappingPolicy":  
       {   
         "Version":1,  
         "IncludeBasicClaimSet":"true",   
         "ClaimsSchema":[{"value":"myConstantValue","JwtClaimType":"myClaim"}]  
       }  
   }  

And assign it to your application service principal.

--
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

Answer 2

Hi @Thorsten · You can update app manifest for this purpose. When configuring directory extension optional claims using the application manifest, use the full name of the extension (in the format: extension_<appid>_<attributename>). The <appid> must match the ID of the application requesting the claim.

Within the JWT, these claims will be emitted with the following name format: extn.<attributename>.

Within the SAML tokens, these claims will be emitted with the following URI format: http://schemas.microsoft.com/identity/claims/extn.<attributename>

Below is an example of how to update app manifest to pass custom attribute in Access Token:

"optionalClaims": {  
    "accessToken": [  
        {  
            "name": ""extension_ab603c56068041afb2f6832e2a17e237_CustomAttrib"",  
            "essential": false  
        }  
    ]  
}  

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Hi,

I have the same requirement.
I need a custom claim with fix value for one registered app.

@Thorsten did one of the answers work at your place?

@AmanpreetSingh-MSFT I tried your solution, but the jwt token still does not contain the new claim.

anonymous user-msft is there a possibility without using powershell to do this claim policy mapping?

Thanks in advance.

Regards.

Answer 4

Hi,

sorry for the late response.

anonymous user-msft solution works for us.

Thanks.

Regards

Answer 5

@AmanpreetSingh-MSFT extension_<appid>_<attributename>). The <appid> must match the ID of the application requesting the claim.

@AmanpreetSingh-MSFT Is there any possible way to add custom claims with Directory extension as source to a different application registered in the same tenant? In other words, if I have Directory extensions on application A, can I create an application B and add those directory extensions as token claims in B?

The reason to do this is application A has the directory extensions, and we are sharing a secret to Keycloak to act as an intermediary. We would rather give Keycloak a new clientId and secret so Keycloak doesn't have access to application A secret to read and write any data on extension properties defined there. Is there another way to achieve this?