Share via

CIAM Token Issuance Start event ignores public REST API endpoint

Yuliia Bashko 80 Reputation points
2026-01-13T14:45:49.0533333+00:00

Hello Microsoft Support Team,

We are experiencing an inconsistency between the official documentation and the actual runtime behavior of Microsoft Entra External ID (CIAM) related to Token Issuance Start events.

Scenario

We configured a Token Issuance Start custom authentication extension in Microsoft Entra External ID (CIAM) to enrich tokens with custom claims from an external system.

According to the official documentation, the REST API endpoint for token issuance events can be:

  • Azure Function
  • Azure Logic App
  • or another publicly available REST API endpoint

We implemented a publicly accessible REST API endpoint:

  • No authentication
  • HTTPS
  • Returns HTTP 200
  • Content-Type: application/json

Response schema strictly follows the documented token issuance action contract

Observed behavior:

The REST API endpoint was not invoked at all

But the API returns a valid HTTP 200 response with expected claims

As a result, the claims are NOT added to the issued token

No errors, warnings, or failures.

When the same logic is hosted behind an Azure Function (HTTP trigger):

  • The token issuance event works as expected
  • Custom claims are successfully added to the token

Expected behavior

Based on the documentation, a public REST API endpoint should be supported for token issuance start events in CIAM, provided it conforms to the required contract.

Question

Can you please confirm one of the following:

  • Is there a current limitation in Microsoft Entra External ID (CIAM) where Token Issuance Start events are only supported with Azure Functions, despite the documentation stating otherwise?
  • If public REST APIs are supported, are there additional undocumented requirements or restrictions (runtime allow-listing, endpoint validation, hosting constraints, etc.) specific to CIAM?

If this is a known limitation or behavior gap, we would appreciate confirmation and any available roadmap or documentation update plans.

Thank you for your assistance.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Answer accepted by question author
  1. Rukmini 26,525 Reputation points Microsoft External Staff Moderator
    2026-01-13T15:29:13.3566667+00:00

    Hello Yuliia Bashko,

    According to your update, a problem with the REST implementation side was found and resolved by using an Azure Function as a proxy. Following that, the Azure Function's flow operated as intended.

    As of right now, establishing a direct connection between the Token Issuance Start custom authentication extension and the REST API is also operating as planned. Despite the previous claim that only Azure-hosted endpoints were supported, this demonstrates that REST integration is operating as intended.

    Let me know if any further queries - feel free to reach out!

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yuliia Bashko 80 Reputation points
    2026-01-15T11:41:15.9633333+00:00

    Hi,
    Based on your recommendation, I initially introduced an Azure Function as a proxy and discovered an issue on the REST implementation side, which I fixed. After that, the flow worked correctly.

    Today, I connected the REST API directly to the Token Issuance Start custom authentication extension, and it is also working.

    This confirms that the REST integration itself is functioning correctly, despite the earlier statement that REST would not work in this scenario.

  2. Q&A Assist
    2026-01-13T14:46:01.81+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Based on the information provided in the context, the Token Issuance Start event in Microsoft Entra External ID (CIAM) is designed to support various types of REST API endpoints, including publicly available ones. However, there may be specific requirements or configurations that need to be met for these endpoints to function correctly with the token issuance events.

    While the documentation states that a public REST API endpoint can be used, it does not explicitly detail any additional undocumented requirements that might affect its invocation. The observed behavior where the public API endpoint is not invoked, despite returning a valid response, could indicate a limitation or requirement that is not clearly documented.

    To address your questions:

    • There may be current limitations or specific configurations required for public REST APIs that are not fully outlined in the documentation.
    • It is advisable to check for any runtime allow-listing, endpoint validation, or hosting constraints that could affect the behavior of your public REST API in this context.

    For further assistance, consider reaching out to Microsoft support directly to confirm these details and inquire about any known limitations or future updates to the documentation regarding this behavior.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.