How to add directory extension to client credentials access token?

Question

How to add directory extension to client credentials access token?

AndyNugroho 0

Update 30 Jun 2025: after trying many suggestions, I conclude that adding application directory extension as a claim in client credentials is not possible.

My use case is for client credentials where I have 2 apps: ResourceApp and ClientApp.

I have define a directory extension on Resource App: extension_<resource_app_id>_extrainfo

My ClientApp has a directory extension value: extension_<resource_app_id>_extrainfo = "test"

Now, when I want to do client credentials with client_id=<client_app_id> with scope set to Resource App (scope=api://<resource_app_id>/.default), I want the access token JWT claims to contain the value of extension_<resource_app_id>_extrainfo.

Based on what I gathered so far, I tried to use custom mapping policy with this:

{
  "ClaimsMappingPolicy": {
    "Version": 1,
    "IncludeBasicClaimSet": "true",
    "ClaimsSchema": [
      {
        "Source": "application",
        "ExtensionID": "extension_7d62104d35d24b9ea4380ff831bff777_extrainfo",
        "JwtClaimType": "extrainfo"
      },
      {
        "Source": "application",
        "ID": "DisplayName",
        "JwtClaimType": "JWTCLAIM2"
      }
    ]
  }
}

I'm able to get JWTCLAIM2 claim in the client credentials access token, but I'm not able to get the extrainfo claim.

Can someone help to let me know how can I get the extrainfo?

Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-19T10:03:20.2633333+00:00

Hello @AndyNugroho,

Could you please check private message, I have pinged you with few details to proceed further.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-21T10:43:24.3466667+00:00

Hello @AndyNugroho,

Could you please check private message, I have pinged you with few details to proceed further.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-29T20:47:14.24+00:00

Hello @AndyNugroho,

Following up to check if you had a chance to test the suggested steps, kindly do let us know.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-30T14:38:13.73+00:00

Hello @AndyNugroho,

Following up to check if you had a chance to test the suggested steps, kindly do let us know.

2 answers

Your answer

Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-19T10:03:20.2633333+00:00

Hello @AndyNugroho,

Could you please check private message, I have pinged you with few details to proceed further.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-21T10:43:24.3466667+00:00

Hello @AndyNugroho,

Could you please check private message, I have pinged you with few details to proceed further.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-29T20:47:14.24+00:00

Hello @AndyNugroho,

Following up to check if you had a chance to test the suggested steps, kindly do let us know.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-30T14:38:13.73+00:00

Hello @AndyNugroho,

Following up to check if you had a chance to test the suggested steps, kindly do let us know.

Answer 1

Hello @AndyNugroho,

It seems like your claims mapping policy is applied correctly, as evidenced by the successful inclusion of the DisplayName claim (JWTCLAIM2) in the access token. The issue seems to be with the extrainfo claim not appearing likely stems from how Entra ID handles directory extensions in the context of client credentials flow. Specifically, while the directory extension is defined on the Resource App and set on the Client App, the client credentials flow operates under the context of the Client App’s service principal, not its application object. Directory extensions are stored in servicePrincipal or application objects in Entra ID. In the client credentials flow, the token is issued to the calling application (ClientApp). Claims mapping policy works on the service principal context. Only values present on the servicePrincipal are accessible, not on the application object by default. Directory extensions must be explicitly declared in the schema and synced properly. Entra ID only exposes claims that are present on the service principal when issuing access tokens in app-only flows.

Therefore, to have the extension_<resource_app_id>_extrainfo value included in the token, you need to ensure that this extension attribute is actually set on the Client App's service principal, not just the application. Check if the extension attribute exists on the ClientApp’s service principal and has the defined attribute if not set the value using PATCH command in MS graph. Once the extension attribute is correctly populated on the service principal, and your claims mapping policy includes the appropriate reference to the extension ID, the access token will correctly contain the desired extrainfo claim. Additionally, make sure this claims mapping policy is assigned to the Resource App’s service principal, as it is the API resource issuing the token.

If you have any questions, please do let us know.

AndyNugroho 0 Reputation points

2025-05-16T01:43:03.76+00:00

Hi @Jyotishree Moharana ,
Thank you for taking your time to answer. What you said made sense that client credentials operates on the Client App's service principal; hence, it needs the directory extension to be set at service principal layer.

Unfortunately, I can't set directory extension value to ClientApp's service principal. I encountered this error on my attempt:

"message": "The following extension properties are not available for the given resource: extension_**<resource_appid>**_extrainfo.",

The directory extension definition was created as such at the ResourceApp (the target was Application:

{ "dataType": "String", "name": "extrainfo", "targetObjects": ["Application"] }

I can't specify ServicePrincipal for the targetObjects. I tried, and the value was rejected.
https://learn.microsoft.com/en-us/graph/api/application-post-extensionproperty?view=graph-rest-beta&tabs=http

Answer 2

Lizzy Dinh 0 Independent Advisor

Hi @AndyNugroho ,

Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:

After checking on your code, I noticed that you used extension attributes for application source. For your information, the extension attributes of app A cannot be added to app B's claim mapping policy. Currently, Microsoft only supports adding user extension attributes to application B's claim mapping policy. Therefore, you can try to change source to user instead of application for the code to work correctly.

For references, you can take a look on these two documents:

https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization#claim-schema-entry-elements

Directory extension attributes in claims - Microsoft identity platform | Microsoft Learn

Kindly let me know if this works for you and please let me know if you have any further questions.

Best regards,

AndyNugroho 0 Reputation points

2025-05-19T03:14:13.8066667+00:00

Hi @Lizzy Dinh ,

Thanks for your answer. Yes, I used extension attributes for application source as the purpose is to add the Client App (App A)'s extension attribute as a claim when Client App (App A) does client credentials with scope set to Resource App (App B).Changing the source to "User" does not work as this is a client credentials call which does not involve User at all. And as stated that the purpose is to add Client App (App A)'s extension attribute, not user's extension attribute.

Thanks for the references given, but unfortunately they don't solve my requirement. Actually the first one linking exactly to this question.

Share via

How to add directory extension to client credentials access token?

2 answers

Your answer