Azure AD Custom Claims in JWT

azure sharepoint jwt azure-active-directory access-token
10,771

Based on this official doc :

Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is Graph. Thus, the access token is created using the Graph manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for Graph to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.

And based on your requirement , it is impossible if you want to make some change on an access token which resource is sharepoint online which is a multi-tenant app created and managed by MSFT.

For this doc , I also did some research for you . And the same , you should have control of the service side app so that you can make that happen.

This is my policy role assignment command :

$nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"

Add-AzureADServicePrincipalPolicy  -RefObjectId $nsp.Id -Id '<obj id of service side app>'

Token result : enter image description here

What's more , pls note that extension_<appId>_customUserRoles is not a valid user source ID . For all valid user source ID , pls refer to here .

Hope it helps .

Share:
10,771
halshing
Author by

halshing

Updated on June 22, 2022

Comments

  • halshing
    halshing almost 2 years

    I have an Azure AD app and I am trying to add custom claims to a JWT. I'm using the claims mapping feature in Azure for my specific app, and updated the app manifest in the Azure Portal to include the optional claims. However, when I log in and view the decoded access token, the claim is not present in the token. I haven't found much documentation relating to using extension attributes as claims, but from what I've found it should follow the same patterns, but it is not working as expected.

    How do I add a custom claim, sourced from a custom property in the user object in AD, to a JWT when the user logs in?

    Thanks in advance!

    Steps to re-create

    1. Use the Azure AD Graph API to register a directory extension

    Request:

    POST https://graph.windows.net/mytenant.onmicrosoft.com/applications/<application-object-id>/extensionProperties?api-version=1.5

    Body:

    {
   "name": "customUserRoles",
   "dataType": "String",
   "targetObjects": ["User"]
}
    1. Write a value to the extension for a specific AD user

    Request:

    PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/[email protected]?api-version=1.5

    Body:

    {
   "extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}
    1. In PowerShell, I installed the Azure AD module: Install-Module -Name AzureADPreview
    2. Create an Azure AD policy
    New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"
    1. Add the policy to the service principal
    Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>
    1. In the Azure Portal, navigate to Azure AD -> App Registrations -> My App -> Manifest
    2. Update the following properties
    {
   ...
   "acceptMappedClaims: true,
   "optionalClaims": {
      "idToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "accessToken": [
         {
            "name": "extension_<appId>_customUserRoles",
            "source": "user",
            "essential": false,
         }
      ],
      "samlToken": []
   }
}
    1. Save the file
    2. Navigate to https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com and login with Azure AD user account [email protected]
    3. In the URL, copy the value of the access_token parameter
    4. Navigate to https://jwt.ms and paste the access token in the text area
    5. In the decoded token section, the custom claim customUserRoles is not present

    My expectation is I should see a new claim called customUserRoles or extn.customUserRoles in the decoded token.

    What steps am I missing? I haven't gotten any errors throughout this process, but it doesn't appear to be working as the documentation suggests.

    Reference Material

    I have read through Microsoft's documentation on these topics:

    Optional Claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

    Claims Mapping: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

    I have also read through various forum posts and blog articles relating to this:

    https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/

    http://www.redbaronofazure.com/?p=7566

    https://social.msdn.microsoft.com/Forums/en-US/3e5114b6-24d6-4c60-b72b-b4c90baeecac/access-token-missing-optional-claims-that-are-schema-extensions-implicit-grant-flow

    https://social.msdn.microsoft.com/Forums/en-US/dbeeed63-8d3f-4c27-b416-431f9fe6c729/providing-directory-extension-optional-claims-and-returning-value-within-token?forum=WindowsAzureAD

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Flutter app: How to implement a proper logout function?
The client xxx with object id xxx does not have authorization to perform action Microsoft.Resources/subscriptions/resourcegroups/write' over scope
Check if username exist in Microsoft Azure Active Directory
Get Azure Active Directory Token with username and password
On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
Azure AD B2C password expiration
Failure to generate access token using refresh token for O365 API
Get-AzureKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
AADSTS900144: The request body must contain the following parameter: 'scope' when using legacy Developer Portal
ClientAuthError: Token renewal operation failed due to timeout MSAL Angular