How to set up custom claims in Azure AD B2C Application and get the claim in access token

Sateesh Kumar Sharma 21 Reputation points
2022-06-14T10:53:34.417+00:00

Hi team,

I have a Azure B2C tenant without subscription , only for App Registration . I did App Registration under B2C tenant using graph API.
Now using client_credentials flow to generate access token ,successfully got access token.

Token Endpoint -https://login.microsoftonline.com/{b2ctenantid}/oauth2/token
grant_type: client_credentials
client_id:******
client_secret:**********
resource:********

Now I am decoding the token with jwt.ms and getting all the default claims and As per the requirement I need to add one custom claims e.g - app_name to be available in access token claims because after decoding token we need to have custom claims to do some operation as per the requirement .

I did try to achieve it using this graph endpoint -https://graph.microsoft.com/v1.0/applications/{application object id}/extensionProperties
with payload :
{
"name": "app_name",
"dataType": "String",
"targetObjects": [
"Application"
]
}

I got success response .

{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications('objectid')/extensionProperties/$entity",
"id": "*****************",
"deletedDateTime": null,
"appDisplayName": "abc",
"dataType": "String",
"isSyncedFromOnPremises": false,
"name": "extension_appID_appName",
"targetObjects": [
"Application"
]
}

But I am not able to get this claims in token after decoding it .
I tried to all this graph API to add claims -https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies but It is not getting succeeded .

Note : In APP Registration from Portal I am not able to see token Configuration blade as well unlike Azure AD tenant .

Please help me here to add custom claims in Azure B2C tenant APP Registration using Graph Rest API call. I can not use Azure CLI command because my tenant is not having Subscription .

your help will be much appreciated :)

Regards,
Sateesh Sharma

Azure Active Directory External Identities
No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,231 Reputation points
    2022-06-15T10:48:21.643+00:00

    Hi @Sateesh Kumar Sharma • Thank you for reaching out.

    In the B2C directory, to get the custom app role in the token acquired using Client_Credentials flow, you need to update the application manifest as the app roles and token configuration blade are not available in the B2C tenant.

    • First, you need to add the app role in the application manifest, as mentioned below:
      "appRoles": [  
              {  
                  "allowedMemberTypes": [  
                      "Application"  
                  ],  
                  "description": "Test all aspects of the application",  
                  "displayName": "Tester",  
                  "id": "a0e9939a-e77b-4ec3-94b3-a6d2d33bcbde",  
                  "isEnabled": true,  
                  "lang": null,  
                  "origin": "Application",  
                  "value": "test.all"  
              }  
          ],  
      
    • Once the manifest is updated, go to the Expose as API blade of the application and set the Application ID URI.
    • Then go to API Permissions blade > Add a permission > My APIs > Select the application whose manifest you updated.
    • Select Application permissions > select required permissions > Add permission. 211691-image.png
    • Use client credentials flow to acquire the token:

    211684-image.png

    • Decode the token at jwt.ms and notice the roles claim includes the permission, as shown below:

    211580-image.png


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    No comments

1 additional answer

Sort by: Most helpful
  1. Sateesh Kumar Sharma 21 Reputation points
    2022-06-16T08:12:58.923+00:00

    Hi @Amanpreet ,

    Thank you for your help ..

    Regards,
    Sateesh Sharma

    No comments