Share via

When using Custom Domain , is there a claim that will reflect the custom domain the identity is assigned?

Martin Kallukalam 385 Reputation points
2025-04-17T19:36:01.95+00:00

Scenario:
I have 3 custom domains

domain1

domain2

domain3

Is there a way to get the domainname as a claim in id token and access token when a user gets a token using interactive login (auth code grant flow)

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,615 questions
Accepted answer
  1. Rukmini 2,186 Reputation points Microsoft External Staff Moderator
    2025-05-08T06:54:06.25+00:00

    Hello @Martin Kallukalam,

    In Microsoft Entra ID, there is no built-in claim that explicitly returns the custom domain name (like domain1.com, domain2.com, etc.) as a standalone claim in the ID or access token by default—particularly when the user is cloud-only (i.e., created directly in Azure AD without federation).

    Hence as a workaround you can extract Domain from UPN or create a custom extension attribute (via Microsoft Graph), assign the domain explicitly to the user, and then expose that claim in the token.

    Workaround 1: Extract Domain from UPN

    Configure UPN as optional claim:

    User's image

    Grant API permissions like below:

    User's image

    Generated access and ID tokens:

    
GET https://login.microsoftonline.com/organizations/oauth2/v2.0/token

client_id: ClientID

grant_type: authorization_code

scope: api://xxx/domain.read openid

redirect_uri: RedirectURl

code: Code

client_secret: Secret

    User's image

    And UPN will be displayed in tokens, and the domain can be extracted in your app logic using string manipulation and you can do this client-side or server-side:

    For sample:

    
const upn = tokenClaims.upn || tokenClaims.preferred_username;

const domain = upn?.split('@')[1];

    Access Token:

    User's image

    In ID token also UPN will be displayed.

    Workaround 2: Create a custom extension attribute, assign the domain explicitly to the user.

    Create a custom extension attribute:

    
POST https://graph.microsoft.com/v1.0/applications/ObjectID/extensionProperties

Content-Type: application/json

{

  "name": "customDomain",

  "dataType": "String",

  "targetObjects": [ "User" ]

}

    User's image

    Set the Custom Domain for Each User:

    
PATCH https://graph.microsoft.com/v1.0/users/UserId

Content-Type: application/json

{

  "extension_{appClientId}_customDomain": "domain1.com"

}

    User's image

    Configure optional claims in Microsoft Entra ID application:

    User's image

    Generated tokens and now you custom claim extn.customDomain in the access and ID tokens:

    Access Token

    User's image

    Hope this helps!

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.