Adding custom/extension attributes to the JWT in Entra External ID (CIAM)

Read this post first.

The sample I used is a web app. calling a ToDo list API.

There seem to be two ways to do this. I’ll go through both of them.

Method one

Let’s call the custom attribute “Custom”.

In the user flow for the application, add the custom attribute.

In the web app. overview, click the managed application. This takes you to the Enterprise application blade.

Then click SSO and then edit “Attributes and claims”.

Then select “Add new claim” and then “Directory schema extension”

Then select the “b2c-extensions-app”.

Then select the attribute and “Add”.

Then, in the application registration, select “Manifest” and set “acceptMappedClaims” to true and “allowPublicClient” to true.

{
 "id": "dd9...dce",
 "acceptMappedClaims": true,
 "accessTokenAcceptedVersion": 2,
 "addIns": [],
 "allowPublicClient": true
...
}

Add the extension attribute to the user as per the above post.

"extension_276...f43_EmployeeID": "098765",
"extension_a3d...8c4_Custom": "123456",

Now when you run the application and authenticate, you will see the attribute in the ID token.

Method two

Run the PowerShell scripts in the above post to create the extension attribute, i.e. “EmployeeID”.

Create the attribute, link it to an application and add it to the user.

In the ToDo API application, in the token configuration section, select “Access token”, and you should see “EmployeeID” in the claim list. Then add it.

Now, run the application and authenticate.

Then click “To-Do’s” and add a task and click “Create”.

The access token then looks like this:

Note the two scopes that we added to the application.

All good!