This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 71%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
I'm trying to create new custom extension for TokenIssuanceStart but running into error. I'm following this guide:
Specifically YT: https://www.youtube.com/watch?v=_CD3shvqpx4&t=2s
I've downloaded the sample code: https://github.com/microsoft/authentication-events-function
Opened Project in Visual Studio and created and published an Azure Function.
I then went to Entra Admin to create new custom extension but kept getting error like this:
Looking at debug the response error seem to all be "There is a problem with the service.".
Looking at the Audit log it's failing on this step
Is this some particular Role I need to have?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 10%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Hello John,
The error code AADB2C90063 with the message "There is a problem with the service." can arise from various factors, including misconfigurations, permission issues etc.
To Register a custom authentication extension, you need to have at least an Application Administrator and Authentication Administrator.
In Endpoint Configuration,Target Url - The {Function_Url} of your Azure Function URL.
Reference -:Custom claims provider: Configure a token issuance event - Microsoft identity platform | Microsoft Learn
Hello John,
I just wanted to follow up and see if the information I shared was helpful. Let me know if you have any questions!
Hello John,
I just wanted to follow up and see if the issue is still there?
Could you please confirm if you have the following App: Azure Active Directory Authentication Extensions in your Tenant.
Search for All Apps in Enterprise Applications Blade.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 95%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAF%3C/text%3E%3C/svg%3E)
We dont have it in ours at least:
Hello John,
If you encounter the following error while creating a custom extension attribute:
"Error creating custom extension / "code": "AADB2C90063", "message": "There is a problem with the service."
This typically indicates that the Azure Active Directory Authentication Extensions application is absent in your tenant.
Steps to Verify and Resolve:
Get-MgServicePrincipal Connect-MgGraph -TenantId <domain>.onmicrosoft.com -Scopes "Application.ReadWrite.All"
New-MgServicePrincipal -AppId 99045fe1-7639-4a75-9d4a-577b6ca3810f
After completing these steps, attempt to create the custom extension attribute again. This should resolve the issue.
For reference, here are some screenshots illustrating the process:
If you continue to experience difficulties, please don't hesitate to contact me for further assistance.
This seems to work for me. Can someone at Microsoft edit the documentation to add this step? Also can this be done via Portal?
Similar question to mine with similar answer too. So there're others encountering same issues.
In there it says "With the support of Microsoft Support team, we've found the problem (and the solution).
The problem is that the Entra External Tenant directory doesn't have a specific service principal that is responsible to provide permissions for a Azure internal application.
They will fix it in the future, however the temporary solution is to create it ourselves."
So I hope MS make this more seamless. Auth0 has something similar but more intuitive.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 79%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hello @John Le
Thank you for contacting Q&A Forum. Based on your description and process, the issue you’re facing might stem from a few causes including missing permissions, misconfigured Azure Function, or service-side issues. I would suggest you check these following factors:
These roles are required to register applications and configure authentication extensions. For more information, please visit this link: Troubleshoot a custom authentication extension - Microsoft identity platform | Microsoft Learn
I would suggest you to follow these troubleshooting steps:
These logs may show more specific error codes like:
1003001: Unexpected error calling the custom extension API.
1003002: Invalid HTTP status code returned.
1003003: Invalid response body.
It must return a valid response with the correct schema and status code.
Kindly let me know if any of these works for you and please leave a comment if you have any further questions.
If I have answered your question, please accept this as answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!
Best regards,
Megan.
I have the exact same issue.
My user is Global Administrator, Cloud Application Administrator, Authentication Administrator and Attribute Definition Administrator. Yes i added alot of roles due while testing...
I experience the same issue: it fails on Create customAuthenticationExtension with no reason defined.
I think this SO post describes the same issue: https://stackoverflow.com/questions/79628812/failed-to-create-a-custom-authentication-extension-tokenissuancestart
I also have a few Validate customExtension authenticationConfigurationfailures in my audit log, but again the reason is NA
The tenant is completely new.
Thank you for replying.
Also note that this being a learning account I have an Azure subscription on the "Default Directory" so the AuthEventsFunction demo app was published there. I created a test External Tenant in Entra and trying to create app registrations on this External Tenant. Is there any issue regarding cross tenant between Azure and Entra?
Under Authentication for the App Registration I selected: "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)"
I went and added these roles to the user:
But still can't create the extension. It seems the new app registration was created but during verifying something didn't work and gave up.
I changed the demo code to Anonymous but that did not work either.
I also try selecting the existing app in API Authentication but still failed