1

I am trying to customize id token in Azure AD ..

I did the following steps :

1-Registered Azure AD application

2-Post extension:

https ://graph.microsoft.com/v1.0/applications/Object ID/extensionProperties

Payload : {"name":"test","dataType":"string","targetObjects":["User"]}

3-Create claim Mapping Policy

https ://graph.microsoft.com/v1.0/policies/claimsMappingPolicies

Payload

{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_Application (client)ID_test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}

4-Post service principal

https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref

Payload : {"@odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}

5- I patched a user

https: // graph.microsoft.com/v1.0/users/usreID {"extension_Application (client)ID_test":"test"}

6- I edited the Mainifest See Mainifest

6- I tired to get the ID token for the user I patched in step 5 https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token with headers(client_id,client_secret,scope:https://graph.microsoft.com/.default,usernam,password)

7- I decoded the token , I don't see "test" as part of the token

Not sure what I am missing here to customize the token

Screenshot to show that I am missing token configuration in the blade Missing token configuration in the blade

Screenshot to show that I can't find permission : Directory.AccessAsUser.All

missing API permission

Improve this question
0

1 Answer 1

Reset to default
0

Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph. or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.

Please make sure to have the Directory.AccessAsUser.All ,Directory.Read.All,openId permissions granted.

enter image description here Also please check with optional claims set in manifest .

enter image description here

Then check in token configuration, if it is valid claim.

References :

  1. Emitting claims with data from directory schema extension attributes created for an application using Graph
  2. azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot-net-application

Edit:update 13/4/2022

Like you said in comments:

Like the Most obvious difference now ( Token configuration is not available and api permssion for Directory.AccessAsUser.All is not there)

I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.

I had all those features as i was using organizational Azure AD premium 2 licensed tenant.

But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration. App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.

enter image description here

Then i realized its license is azure ad free account.

enter image description here

So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience .

Also you can check the ongoing issue here

Q&A missing-features-in-my-azure-ad-tenant.

active-directory-optionalclaims-example

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you for the answer. There are two things on my side first : I don't see the permission of : Directory.AccessAsUser.All Also the option of Token configuration is not available on my side One more question is adding optionalClaims in the Mainfest is a manual step ? It should be update while we are mapping the policy automatically ? I am updating my post with screenshots for the same.
Like the Most obvious difference now ( Token configuration is not available and api permssion for Directory.AccessAsUser.All is not there).
Hey @panm20297 ! added an edit in answer section regarding missing features. OptionalClaims may need to be modified by us in manifest manually.Also check open id profile permissions. Added an image for reference- in the above before edit.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.