Share via

Add custom claims in client credentials flow in Microsoft Entra ID

Mera, C (Claudiu) 90 Reputation points
2025-03-19T14:15:51.2066667+00:00

We need to include custom claims from an external source into a token issued by Microsoft Entra for a service-to-service scenario.

Basically, when getting an access token to our app via https://{tenant_name}.ciamlogin.com/{tenant_id}/oauth2/v2.0/token and client_credentials grant, the resulted access token should include some additional claims (retrieved from a REST Api).

This is possible using Authentication Extensions for Token Issuance event in Sign-In flows with implicit grant, as mentioned in this article: https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-tokenissuancestart-configuration?tabs=azure-portal%2Cworkforce-tenant

Is it possible to configure this similarly for a client credentials flow in Microsoft Entra?

Any response is appreciated.

Thank you,

Claudiu

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,140 questions
Accepted answer
  1. Alex Burlachenko 4,225 Reputation points
    2025-03-19T16:41:05.7266667+00:00

    Hi Claudiu,

    Great question! Custom claims in the client credentials flow can be a bit tricky since this flow is designed for service-to-service scenarios and doesn’t involve user interaction.

    Using Authentication Extensions for Token Issuance. Unfortunately, Authentication Extensions (like the Token Issuance Start event) are currently supported only for interactive flows (e.g., authorization code flow, implicit flow) and not for the client credentials flow. This is because the client credentials flow doesn’t trigger user-based events like sign-ins.

    Custom Claims via API Connectors. API Connectors are typically used in user flows (e.g., sign-up, sign-in), but they don’t apply to the client credentials flow. However, you can simulate custom claims by calling your external REST API before requesting the token. Retrieve the custom claims and include them as part of your application logic or pass them as parameters in subsequent API calls.

    Custom Claims via Application Roles or Groups. If the custom claims are static or role-based, you can define App Roles or Groups in Microsoft Entra ID. Assign these roles or groups to the service principal and configure your app to include these roles or groups in the token.

    To enable this

    Go to your app registration in the Azure portal.

    Under App Roles, define custom roles.

    Assign these roles to the service principal.

    • Configure the token to include roles or groups by updating the manifest: 
        "groupMembershipClaims":

    Custom Token Issuance via Middleware

    If the above options don’t meet your needs, you can implement a middleware solution. Use a proxy service to handle token issuance. The proxy service requests the token from Microsoft Entra ID using the client credentials flow, calls your external REST API to fetch custom claims, and enriches the token (or response) with the custom claims before forwarding it to the client.

    If this is a critical requirement, consider submitting feedback to Microsoft via the Microsoft Entra ID Feedback Portal. I clear know Microsoft frequently updates its services based on customer needs.

    Just in cases if you would like to know more about that topic pls take a look provided links

    Best regards,
    Alex
    P.S. If my answer help to you, please Accept my answer

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.