This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 13%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
I'm trying to use Custom Authentication Extensions in an Azure External ID (CIAM) tenant but cannot create extensions despite having proper permissions.
Tenant Type: Azure External ID (CIAM) Tenant ID: 685b0e61-9989-4252-8f1b-993dc4859f4d
What Works:
/v1.0/identity/customAuthenticationExtensions succeed (returns empty array)/v1.0/identity/authenticationEventListeners succeed (returns empty array)CustomAuthenticationExtension.ReadWrite.All application permissionWhat Fails:
/v1.0/identity/customAuthenticationExtensions succeed (returns empty array)/v1.0/identity/authenticationEventListeners succeed (returns empty array)CustomAuthenticationExtension.ReadWrite.All application permission"code": "AADB2C",
"message": "The custom extension should be of subtype of CustomAuthenticationExtension"
Steps to Reproduce:
CustomAuthenticationExtension.ReadWrite.All (application permission)https://graph.microsoft.com/v1.0/identity/customAuthenticationExtensionsQuestion: Is there a tenant-level feature flag that needs to be enabled for CIAM tenants to create Custom Authentication Extensions? The Portal UI doesn't show "Custom authentication extensions" menu item in the Security blade for CIAM tenants either.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Rick Gregory,
It sounds like you're running into some snags trying to create Custom Authentication Extensions in your Azure CIAM tenant. Let's break down the situation.
It appears that your GET requests are working just fine, which means your setup is partially correct. However, you're facing validation errors when performing a POST to create the custom authentication extension. The error message you're seeing — "The custom extension should be of subtype of CustomAuthenticationExtension" — usually indicates that the structure or type of the data you're sending doesn't match the expected format.
Here are some steps you can take to troubleshoot this issue:
Check the Request Body: Ensure that the structure of your POST request complies with the expected schema for creating a Custom Authentication Extension. The JSON payload should correctly reflect the subtype required by Microsoft Entra.
Review Resource Types: Verify that you are using the correct resource types and properties that relate to your extension. Make sure to define any necessary properties that align with the specifications outlined in the documentation.
Tenant-Level Feature Flags: As you mentioned wondering if there's a tenant-level feature flag needed to utilize Custom Authentication Extensions, it's essential to confirm if your tenant has specific configurations or restrictions. Azure may require enabling certain features or settings for CIAM tenants to use this functionality.
Utilize Examples: Sometimes looking at example requests can clarify the structure you're supposed to follow. Check any official examples and try to structure your POST request similarly.
To help you better, here are a few clarifying questions:
Looking forward to your response, and hopefully, we can get this sorted out!
Thank you for the response! I appreciate the help. The last Reference Link above returns 404. Here are answers to your questions:
1. JSON Payload Used:
I've tested multiple payload structures. Here's the most recent attempt:
{
"@odata.type": "#microsoft.graph.onTokenIssuanceStartCustomExtension",
"displayName": "EntPOWEREDGraph-Passkey-Auth",
"description": "FIDO2 passkey authentication with IDP abstraction",
"endpointConfiguration": {
"@odata.type": "#microsoft.graph.httpRequestEndpoint",
"targetUrl": "https://fa-entpg-patient-dev.azurewebsites.net/api/ciam/auth-extension"
},
"claimsForTokenConfiguration": [
{
"claimIdInApiResponse": "passkey_available"
},
{
"claimIdInApiResponse": "authentication_method"
}
]
}
This resulted in: "The 'authenticationConfiguration' field is invalid in request. "When I added authenticationConfiguration with azureAdTokenAuthentication, I got: "The custom extension should be of subtype of CustomAuthenticationExtension".
2. Documentation Review:
I've reviewed the official documentation, but it largely covers workforce tenants. The examples that I have seen don't specify CIAM-specific requirements or limitations.
3. Additional Context:
Error Code Pattern: All errors return code "AADB2C" (not standard Graph API errors)
Azure Portal UI: The "Custom authentication extensions" menu doesn't appear in Security blade for CIAM tenants (it exists in workforce Entra ID)
App Registration: App ID (available if needed) with CustomAuthenticationExtension.ReadWrite.All application permission, admin-consented
I also have correlation IDs if they would be helpful.
4. Permissions Confirmed:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 49%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
The only CIAM custom extensions are under "External Identities | Custom authentication extensions".
You mention "FIDO2 passkey authentication"?
Passkeys are not supported in CIAM.