I have an Azure AD app and I am trying to add custom claims to a JWT. I'm using the claims mapping feature in Azure for my specific app, and updated the app manifest in the Azure Portal to include the optional claims. However, when I log in and view the decoded access token, the claim is not present in the token. I haven't found much documentation relating to using extension attributes as claims, but from what I've found it should follow the same patterns, but it is not working as expected.
How do I add a custom claim, sourced from a custom property in the user object in AD, to a JWT when the user logs in?
Thanks in advance!
Request:
POST https://graph.windows.net/mytenant.onmicrosoft.com/applications/<application-object-id>/extensionProperties?api-version=1.5
Body:
{
   "name": "customUserRoles",
   "dataType": "String",
   "targetObjects": ["User"]
}
Request:
PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/[email protected]?api-version=1.5
Body:
{
   "extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}
Install-Module -Name AzureADPreview
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>
{
   ...
   "acceptMappedClaims: true,
   "optionalClaims": {
      "idToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "accessToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "samlToken": []
   }
}
https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com and login with Azure AD user account [email protected]
access_token parameterhttps://jwt.ms and paste the access token in the text areaMy expectation is I should see a new claim called customUserRoles or extn.customUserRoles in the decoded token. 
What steps am I missing? I haven't gotten any errors throughout this process, but it doesn't appear to be working as the documentation suggests.
I have read through Microsoft's documentation on these topics:
Optional Claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
Claims Mapping: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
I have also read through various forum posts and blog articles relating to this:
https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/
http://www.redbaronofazure.com/?p=7566
https://social.msdn.microsoft.com/Forums/en-US/3e5114b6-24d6-4c60-b72b-b4c90baeecac/access-token-missing-optional-claims-that-are-schema-extensions-implicit-grant-flow
https://social.msdn.microsoft.com/Forums/en-US/dbeeed63-8d3f-4c27-b416-431f9fe6c729/providing-directory-extension-optional-claims-and-returning-value-within-token?forum=WindowsAzureAD
In the Azure portal, on the User Attributes & Claims section, click on the Edit icon to edit the claims. Click on the required claim which you want to modify. Enter the constant value without quotes in the Source attribute as per your organization and click Save.
Based on this official doc :
Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is Graph. Thus, the access token is created using the Graph manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for Graph to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.
And based on your requirement , it is impossible if you want to make some change on an access token which resource is sharepoint online which is a multi-tenant app created and managed by MSFT.
For this doc , I also did some research for you . And the same , you should have control of the service side app so that you can make that happen.
This is my policy role assignment command :
$nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy  -RefObjectId $nsp.Id -Id '<obj id of service side app>'
Token result : 

What's more , pls note that extension_<appId>_customUserRoles is not a valid user source ID . For all valid user source ID , pls refer to here .
Hope it helps .
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With