Share via

Best Practice for Updating Custom User Attributes (e.g., is-enrolled) via MSAL and Backend Integration

Jose Barredo 0 Reputation points
2025-04-21T17:10:27.2166667+00:00

Hi everyone,

I’m working on a project that uses Entra ID and MSAL for authentication (React frontend + FastAPI backend).

Use Case: I want to add a custom user attribute called is-enrolled to a user in Entra ID. Once a user goes through an "enrollment" flow in the frontend (authenticated via MSAL), I want to update the is-enrolled flag in Entra ID through my backend.

Questions:

  1. What’s the most efficient and secure way to modify this custom attribute from my backend (using MSAL tokens)?
  2. Should I be using the Microsoft Graph API to patch this attribute? If so, does the backend need application-level permissions for this?
  3. Is storing such state in Entra ID recommended, or should I keep it in my backend DB instead and just rely on Entra ID for identity?
  4. Any experience or caveats when using MSAL tokens to call Graph API from the backend for write operations?

Would really appreciate any best practices or real-world implementation tips.

Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,614 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 4,355 Reputation points Microsoft External Staff Moderator
    2025-04-22T00:23:33.5166667+00:00

    Hi @Jose Barredo,

    Based on your query, here is my understanding: You would like to custom policies to your application using Microsoft Graph API.

    To configure custom policies to an application, you need to use claims mapping policy. To configure claims mapping policy, you need to use the following document: Customize claims using Microsoft Graph Custom Claims Policy (preview). By using this document, you will have a policy that have custom claims which can be added to multiple applications (service principal's) as per your requirement.

    Here is the document to create claims mapping policy: Create claimsMappingPolicy. Once you create the policy with required claims, you can use the above provided document to add this policy to the application. The required permissions are provided in the prerequisites of the document itself.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

  2. JimmySalian-2011 42,451 Reputation points
    2025-04-22T08:10:47.9566667+00:00

    Hi Jose,

    Let me try to assist in this and for Q1 to 3 I would suggest you start with using DB for main operations and just rely on Entra ID for auth and authorisation purpose.

    Check this article out for detailed info on the setup of MSAL - https://learn.microsoft.com/en-us/entra/identity-platform/msal-overview

    Also you can explore Auth Flows over here,.

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.