How do I add claims from my custom claims provider to Entra External ID/Azure AD access tokens?

Question

I have added a custom claims provider API (following these articles: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/concept-custom-extensions and https://learn.microsoft.com/en-us/azure/active-directory/develop/custom-extension-get-started) to add a few claims from an external system to access tokens. The problem is that only these custom claims only gets added to the ID tokens and not the access tokens returned.

I am using a new Entra External Identities for Customers tenant, that I set up a few weeks ago, and I'm fairly new to authentication and authorization, so I'm not sure that my expectation of being able to add custom claims to the access token is feasible. It is however needed for my use case where I have to consider decisions being made a long time ago.

I've tried using both the sample SPA sign-in and device code flow samples, but neither of them have the custom claims in the access token, only in the ID token.

Earlier this year, I'm fairly certain I managed to add custom claims to access tokens using Azure AD B2C API Connectors (https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-api-connector-token-enrichment). Maybe I will have to use that approach instead.

Answer 1

I created a Function app, created an HTTPS trigger function, and edited the code like below:

Created a custom extension:

Registered Azure AD Application:

Configured the custom claims in the Enterprise Application:

I used an implicit grant flow to generate tokens:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=id_token+token&redirect_uri=https://jwt.ms&scope=openid&state=12345&nonce=12345

The claims displayed in the ID token but when I checked the access token, claims are not displayed:

How do I add claims from my custom claims provider to Entra External ID/Azure AD access tokens?

To get the custom claims in the access token, you must generate the access token for your own application. The access token generated for other API such as Microsoft Graph, SharePoint etc. doesn't contain the custom claims. Refer to this Microsoft Docs page for more information.

Hence to get the custom claims in the access token, I exposed an API in the Azure AD Application like below:

Grant API permissions:

Now I generated tokens by passing the scope as api://ClientID/.default openid:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=id_token+token&redirect_uri=https://jwt.ms&scope=api://ClientID/.default openid&state=12345&nonce=12345

Now when I decoded access token and ID token custom claims are displayed successfully:

Access Token:

ID Token: