Share via

Entra ID Directory, Custom Claims

Admin (KK) 136 Reputation points
2024-01-19T15:26:38.9633333+00:00

I have an web app where i am implementing the Authentication and Authorization. I would like to implement the custom claims for an App Registration. For Example for each App Registration I create I need to add a custom claim called 'Asset ID' which will be a list of assets. So whenever an user uses this App Registration to authentication, i would like get to which all assets it has access in the JWT token where i can pass this to our business logic. I am looking at the custom claims and i am not finding anything which is relevant or am i missing something.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,955 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-01-19T15:40:24.0633333+00:00

    Hello @Admin (KK) It seems like you want to add custom claims to your JWT tokens in your web app. Here’s a high-level overview of how you can achieve this:

    1. Create an Azure Function app: This function API will be the source of extra claims for your token.
    2. Register a custom authentication extension: This extension will be associated with your Microsoft identity application registration.
    3. Configure an OpenID Connect app to receive enriched tokens: This app will receive the tokens that have been enriched with the custom claims.
    4. Develop a REST API for the token issuance start event: This API will interface with downstream services (like databases or other REST APIs) that contain the attributes you’d like to add to the token configuration.
    5. Configure a claims mapping policy: This policy modifies the claims emitted in tokens issued for specific applications.

    Remember, the attributes returned by your REST API aren’t automatically added into a token. An application’s claims mapping policy must be configured for any attribute to be included in the token.

    For more detailed steps and code examples, you might want to check out the Microsoft Learn articles on Getting started with custom claims providers and Custom claims provider reference. These guides provide comprehensive instructions and examples to help you implement custom claims in your app. Please note that this is a high-level overview, and the exact implementation might vary based on your specific use case and the technologies you’re using. I hope this answers your question, and if so, please tag this as answered.

    0 comments
  2. Grmacjon-MSFT 19,226 Reputation points Moderator
    2024-01-29T22:26:24.52+00:00

    Hi @Admin (KK)

    Adding to Pinaki's answer, there are a few other opinions you could try to implement custom claims like an "Asset ID" list in your web app's authentication system using Azure AD:

    • Use Azure AD application manifest: In the app manifest for your app registration, you can define "appRoles" which are custom application roles/claims. When a user authenticates, the roles they belong to will be included in the JWT token.
    • Use Azure AD Graph API: When a user authenticates, make a call to the Graph API to get their group memberships or other custom user properties. Then construct a custom JWT claim based on that.

    Hope that helps -Grace

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.