How to add Custom User Attributes to Access Token

Question

In our external tenant, we added a couple of custom user attributes under Entra > External Identities > Custom user attributes.

We don't want to see those attributes during sign up. We set the values via Graph API.

We want the attributes to appear in the access token. How can we achieve this?

When I go to the app registration that's behind the user flow, I cannot select the attributes under Manage > Token configuration > Add optional claim.

I tried to manually add them to the Manifest:

	"optionalClaims": {
		"accessToken": [
			{
				"additionalProperties": [],
				"essential": false,
				"name": "extension_b2c-extensions-app-id_store",
 				"source": "user"
			}
[...]

When I add the attributes to the Enterprise Application under Manage > Single sign-on > Attributes & Claims, they appear in the ID Token. But that's not where I need them.

How can I add them to the Access Token?

Answer 1

Hello @Manuel Tospann

To get optional claims in access token, you need to generate scope for your API that is expose and API, Add scope.

• Add the scope as API permission, grant admin consent.

Once done pass the scope api://ClientID/ScopeName and generate the access token.

Reference: https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui#configure-directory-extension-optional-claims

Let me know if any further queries - feel free to reach out!

Hello @Manuel Tospann If the resolution was helpful, kindly take a moment to click on for was this answer helpful. And, if you have any further query do let us know.