using client credential flow, how can I add a custom claim to the access token

Question

When having multiple registered client application, that each will use "client credential flow" to acquire an access token to access our api server(also a registered application). How can we add a custom claim in the access token that we can configure its value for each client (service principal)?

So the custom claim name could be e.g; "customId" , and for each client application (or service principal) we should be able to "customize"/set the customId value. Our api server can then use that value to retrieve some custom data.

Answer 1

Goeman Alex

Thanks for your time and patience on this.

I was checking internally on this with team.

As I mentioned above, the only claims that can be used are the ones mentioned in the table in custom mapping policy.

Unfortunately, we can't customize the claim using client credential flow.

I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Answer 2

Thanks for posting your question in the Microsoft Q&A forum.

You can use the "Optional Claims" feature in Azure AD.

https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful **

Answer 3

Hi @Goeman Alex ,

Thanks for reaching out.

This functionality does not apply to the client credentials flow and only available to user-centric flows.

As client credential flow is server to server interaction call to get the access token, we cannot get a claim associated with any user. Also, I don't think we have any way to retrieve the claim associated with service Principal as well.

So, it is not feasible to customize the claim using client credential flow.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Answer 4

Hi @Goeman Alex ,

Apologies for delay in response.

Yes, it is possible to add custom claim to a service principal using claim mapping policy.

Claim mapping policies are not user centric flow, we can add custom claim to application (service principal and get the claim in the token using client credential flow.

I have two App Registrations with APIs exposed by one and consumed by the other - call them "App1" and "App2" app registrations.

I added new custom policy as below:

1.New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"ClaimsSchema":[

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy": {"Version": 1,"ClaimsSchema":[
{"Source": "application","ID": "DisplayName","JwtClaimType": "JWTCLAIM2"}]}}') -DisplayName "Claim-displayname" -Type "ClaimsMappingPolicy"

2.Get the Azure AD policy

3.Assign the custom claim to the object id of service principal of app2 to retrieve the custom data.

Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

Make sure to set the acceptedMappedClaims to true in the manifest of your application.

You can get the token using client credential flow and can see your custom claim as

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.