Adding custom/extension attributes to the JWT in Entra External ID (CIAM)

Rory Braybrook
The new control plane
3 min readAug 8, 2024
Text = Custom attrubutes

Read this post first.

The sample I used is a web app. calling a ToDo list API.

There seem to be two ways to do this. I’ll go through both of them.

Method one

Let’s call the custom attribute “Custom”.

In the user flow for the application, add the custom attribute.

Image showing “Custom” bring added in “Custom user attributes”

In the web app. overview, click the managed application. This takes you to the Enterprise application blade.

Image showing “managed application in local directory”

Then click SSO and then edit “Attributes and claims”.

Image showing “SSO” / “Edit”

Then select “Add new claim” and then “Directory schema extension”

Image showing source = “Directory schema extension”

Then select the “b2c-extensions-app”.

Image showing select “b2c-extensions-app”

Then select the attribute and “Add”.

Image showing the attribute in “Add extension attribures”

Then, in the application registration, select “Manifest” and set “acceptMappedClaims” to true and “allowPublicClient” to true.

{
"id": "dd9...dce",
"acceptMappedClaims": true,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": true
...
}

Add the extension attribute to the user as per the above post.

"extension_276...f43_EmployeeID": "098765",
"extension_a3d...8c4_Custom": "123456",

Now when you run the application and authenticate, you will see the attribute in the ID token.

Image showing “Custom” in the JWT with value = 123456

Method two

Run the PowerShell scripts in the above post to create the extension attribute, i.e. “EmployeeID”.

Create the attribute, link it to an application and add it to the user.

In the ToDo API application, in the token configuration section, select “Access token”, and you should see “EmployeeID” in the claim list. Then add it.

Image showing “Token configuration” / “Add optional cliam”

Now, run the application and authenticate.

Then click “To-Do’s” and add a task and click “Create”.

Image showing creating a ToDo

The access token then looks like this:

Image showing access token with EmployeeID claim = 098765

Note the two scopes that we added to the application.

All good!

--

--

The new control plane
The new control plane

Published in The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook
Rory Braybrook

Written by Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

No responses yet