using client credential flow, how can I add a custom claim to the access token

Goeman Alex 30 Reputation points
2024-03-02T15:45:32.5+00:00

When having multiple registered client application, that each will use "client credential flow" to acquire an access token to access our api server(also a registered application). How can we add a custom claim in the access token that we can configure its value for each client (service principal)?

So the custom claim name could be e.g; "customId" , and for each client application (or service principal) we should be able to "customize"/set the customId value. Our api server can then use that value to retrieve some custom data.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2024-03-12T05:50:02.8833333+00:00

    Goeman Alex

    Thanks for your time and patience on this.

    I was checking internally on this with team.

    As I mentioned above, the only claims that can be used are the ones mentioned in the table in custom mapping policy.

    User's image

    Unfortunately, we can't customize the claim using client credential flow.

    I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.


3 additional answers

Sort by: Most helpful
  1. Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator
    2024-03-02T20:42:43.58+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    You can use the "Optional Claims" feature in Azure AD.

    https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful **


  2. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2024-03-05T02:21:14.77+00:00

    Hi @Goeman Alex ,

    Thanks for reaching out.

    This functionality does not apply to the client credentials flow and only available to user-centric flows.

    As client credential flow is server to server interaction call to get the access token, we cannot get a claim associated with any user. Also, I don't think we have any way to retrieve the claim associated with service Principal as well.

    So, it is not feasible to customize the claim using client credential flow.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.


  3. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2024-03-08T07:20:09.66+00:00

    Hi @Goeman Alex ,

    Apologies for delay in response.

    Yes, it is possible to add custom claim to a service principal using claim mapping policy.

    Claim mapping policies are not user centric flow, we can add custom claim to application (service principal and get the claim in the token using client credential flow.

    I have two App Registrations with APIs exposed by one and consumed by the other - call them "App1" and "App2" app registrations.

    I added new custom policy as below:

    1.New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"ClaimsSchema":[

    New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"ClaimsSchema":[
    {"Source": "application","ID": "DisplayName","JwtClaimType": "JWTCLAIM2"}]}}') -DisplayName "Claim-displayname" -Type "ClaimsMappingPolicy"
    

    2.Get the Azure AD policy

    User's image

    3.Assign the custom claim to the object id of service principal of app2 to retrieve the custom data.

    Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>
    

    Make sure to set the acceptedMappedClaims to true in the manifest of your application.

    You can get the token using client credential flow and can see your custom claim as

    User's image

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.