How to map a user custom security attribute to OIDC id and access token ?

Question

How to map a user custom security attribute to OIDC id and access token ?

Chris Rollings 40

We have created custom security attribute to map some extension fields for the user.
We tried to map these as tokens,
- but the custom security attributes doesn't show up in the dropdown under the token > add optional claims
- We then tried to define them under the Enterprise App > Single SignOn > Attributes & Claims; but unable to find these custom security attributes in the drop down there either !

Any help for this problem is deeply appreciated.

Thanks, chris

Accepted answer

0 additional answers

Your answer

Answer 1

Rukmini 3,841 Microsoft External Staff Moderator

Hi @Chris Rollings,

I understand that you want to map a user custom security attribute to OIDC id and access token, but it is not possible to get Custom security attributes as a part of OIDC id and access token. Refer: Can Azure return "Custom security attributes" as part of JWT claims? - Microsoft Q&A

Hence as a workaround you can make use of extension properties as optional claim in Microsoft Entra ID application instead of custom security attributes.

Create an extension property:


POST https://graph.microsoft.com/v1.0/applications/appObjID/extensionProperties

Content-type: application/json

{

    "name": "sampleid",

    "dataType": "String",

    "targetObjects": [

        "User"

    ]

}

enter image description here

Assign a value to this property to a user:


PATCH https://graph.microsoft.com/v1.0/users/<upn>

Content-type: application/json

{

  "extension_e328572xxxxxxxxxx_sampleid": "12345"

}

enter image description here

Configure optional claim in Microsoft Entra ID application:

enter image description here

For sample, I generated tokens:

enter image description here

When decoded extn.sampleid claim is present in tokens:

Access Token:

enter image description here

ID Token:

enter image description here

Otherwise, you can configure custom claims provider. Refer Create a REST API for a token issuance event in Azure Functions - Microsoft identity platform | Microsoft Learn, where you can create a HTTPS trigger function in Azure function app and create a custom extension, configure the custom claims in the Enterprise Application. Hope this helps!

If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.

User's image

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Chris Rollings 40 Reputation points

2025-04-03T09:26:04.2233333+00:00

Hi thanks for the detailed response, i will use this in future. We ended up implementing a custom claim provider instead and attaching the claim that way.

Thanks again.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-04-03T09:30:11.5733333+00:00

@Chris Rollings, Glad that you implemented custom claim provider as a workaround. I have mentioned the Microsoft document for the same in the answer provided.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-04-04T03:14:08.1333333+00:00

@Chris Rollings,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know
Chris Rollings 40 Reputation points

2025-04-04T06:41:40.5566667+00:00

Hi it wasn't quite the answer I wanted but it's better than nothing and a kind of work around I suppose ;)
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-04-04T06:46:00.11+00:00

@Chris Rollings, Yeah I agree with you but as of now it is not possible to get Custom security attributes as a part of OIDC id and access token. Hence you need to switch to these workarounds and meanwhile Microsoft is working on it to resolve the issue with Custom security attributes.

Share via

How to map a user custom security attribute to OIDC id and access token ?

0 additional answers

Your answer