Entra External Id > Utilize external Claims Service (REST API) with ability to stop token issuance

Jens Thirmeyer 0 Reputation points
2024-11-22T16:05:27.5733333+00:00

I have gone through the documentation on setting up a custom authentication extension, and have built a function app and configured all the parts for making a call into my function app endpoint for the On Token Issuance Start event.

Everything works correctly, but I want to be able to decide whether a token shall be created and issued to the calling client or not.

How can I prevent Entra from creating an ID-Token?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,955 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Shweta Mathur 30,101 Reputation points Microsoft Employee
    2024-11-26T04:08:43.1366667+00:00

    Hi @Jens Thirmeyer ,

    Thanks for reaching out.

    To prevent Entra from creating an ID-Token, you can add a custom claim to the token that is not recognized by Entra. This will cause Entra to reject the token and not issue an ID-Token.

    Reference - https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-tokenissuancestart-configuration?tabs=azure-portal%2Cworkforce-tenant#step-3-assign-a-custom-claims-provider-to-your-app

    Hope this will help.

    Thanks,

    Shweta

    Please "Accept the answer" if above answer helps you.


  2. Jens Thirmeyer 0 Reputation points
    2024-11-26T07:17:56.33+00:00

    I've tried it and added a claim unknown to Entra. It just ignored it and used the known claims to put them into the token.

    Basically, I'd like to go with a dedicated event or status code, like it was with Azure Active Directoy B2C. The REST API back in the days sent a 409 status code which clearly indicates a problem and was not causing an error in order to break the process chain. Furthermore, in ADB2C, I was able to define the behavior via a custom policy.

    What I want to achieve is that the REST API can decide, whether the login process continues or stops for a certain reason.

    Many thanks for further support.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.