'Customize token in Azure AD

I am trying to customize id token in Azure AD ..

I did the following steps :

1-Registered Azure AD application

2-Post extension:

https ://graph.microsoft.com/v1.0/applications/Object ID/extensionProperties

Payload : {"name":"test","dataType":"string","targetObjects":["User"]}

3-Create claim Mapping Policy

https ://graph.microsoft.com/v1.0/policies/claimsMappingPolicies

Payload

{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_Application (client)ID_test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}

4-Post service principal

https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref

Payload : {"@odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}

5- I patched a user

https: // graph.microsoft.com/v1.0/users/usreID {"extension_Application (client)ID_test":"test"}

6- I edited the Mainifest See Mainifest

6- I tired to get the ID token for the user I patched in step 5 https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token with headers(client_id,client_secret,scope:https://graph.microsoft.com/.default,usernam,password)

7- I decoded the token , I don't see "test" as part of the token

Not sure what I am missing here to customize the token

Screenshot to show that I am missing token configuration in the blade Missing token configuration in the blade

Screenshot to show that I can't find permission : Directory.AccessAsUser.All

missing API permission

azureazure-active-directory


Solution 1:[1]

Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph. or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.

Please make sure to have the Directory.AccessAsUser.All ,Directory.Read.All,openId permissions granted.

enter image description here Also please check with optional claims set in manifest .

enter image description here

Then check in token configuration, if it is valid claim.

References :

  1. Emitting claims with data from directory schema extension attributes created for an application using Graph
  2. azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot-net-application

Edit:update 13/4/2022

Like you said in comments:

Like the Most obvious difference now ( Token configuration is not available and api permssion for Directory.AccessAsUser.All is not there)

I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.

I had all those features as i was using organizational Azure AD premium 2 licensed tenant.

But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration. App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.

enter image description here

Then i realized its license is azure ad free account.

enter image description here

So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience .

Also you can check the ongoing issue here

Q&A missing-features-in-my-azure-ad-tenant.

active-directory-optionalclaims-example

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions