How to add a custom claim and retrieve the same as part of access_token, when the scope is not Graph API in Azure AD?

Question

I have created a Azure AD web application. Now I am getting my access_token using following API,

POST https://login.microsoftonline.com/{Directory (tenant) ID }/oauth2/v2.0/token

password:pass 
client_id:id
resource:https://graph.microsoft.com 
grant_type:password 
client_secret:secret 
sername:userName 
scope: https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXX/.default

The response looks like,

"token_type": "Bearer",
    "scope": "https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/myTestRole https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXXX/user_impersonation https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/.default",
    "expires_in": 3599,
    "ext_expires_in": 3599, "access_token": "acessToken"

Now I am passing the access_token to a third party application which is configured with the same Azure AD client. Now that third party is expecting a custom claim by the name "policy":"readwrite", to be passed as part of access_token. How can I achieve the same?

Hi did you have a chance to look into my answer? Is it helpful? — Allen Wu, Aug 21 '20 at 06:40

Allen Wu · Accepted Answer · 2020-08-20T04:39:12.270

3

Please refer to the following steps (You can do the Microsoft Graph operation in Microsoft Graph Explorer for saving time.):

Create an extensionProperty (you could use a new created Azure AD application here):

Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties

{"name":"policy","dataType":"string","targetObjects":["User"]}

It will generate an extension property named extension_{client id of the Azure AD application}_policy.

Secondly, you can update the extension property for your account:

Patch https://graph.microsoft.com/v1.0/me

{"extension_6d8190fbf1fe4bc38a5a145520221989_policy":"readwrite"}

Then create a claimsMappingPolicy:

Post https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies

{"definition":["{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ExtensionID\":\"extension_6d8190fbf1fe4bc38a5a145520221989_policy\",\"JwtClaimType\":\"policy\"}]}}"],"displayName":"ExtraClaimsAllen1Example","isOrganizationDefault":true}

Assign the claimsMappingPolicy to a servicePrincipal. Please Note that the servicePrincipal here is the enterprise application which represents your third party application. In your case it is 0a7c94a0-0c4e-4f95-ba06-XXXX.

Post https://graph.microsoft.com/v1.0/servicePrincipals/{obeject id of the servicePrincipal which represents your third party application}/claimsMappingPolicies/$ref

{"@odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/{policy id from the previous step}"}

You could find the servicePrincipal from Azure Portal -> Azure Active Directory -> App registrations -> find your third party Azure AD app -> Overview -> click on the name of its associated service principal.

Now go back to the manifest file of the third party Azure AD app. Set acceptMappedClaims to true and accessTokenAcceptedVersion to 2.

Then when we request an access token for the third party application with ROPC grant flow, we can get the custom claim.

edited Aug 20 '20 at 04:39

answered Aug 20 '20 at 04:26

Allen Wu

15,529
1
9
20

If my answer is helpful for you, you can accept it as answer. This can be beneficial to other community members. Thank you. – Allen Wu Aug 20 '20 at 04:27
@Allen Wu, @ Nishant, Thanks for the detailed steps. I delayed my response as I was trying options. After following the above steps I was able to map the custom claim and get the same as part of access token for the user who is the owner of application and who created the tenant. But the issue I am facing is I am not able to get the custom claim for the normal user as part of access_token, even though I have selected the option "Admins and users" for who can consent while creating the scope. – Shreyas Holla P Aug 24 '20 at 06:33
1

@ShreyasHollaP You should update the extension property for all the normal users. Use `Patch https://graph.microsoft.com/v1.0/users/{username} {"extension_6d8190fbf1fe4bc38a5a145520221989_policy":"readwrite"}` – Allen Wu Aug 24 '20 at 06:39
@AllenWu Thanks for the quick response will try the same and update – Shreyas Holla P Aug 24 '20 at 06:40
@ShreyasHollaP Np, have a nice day:) – Allen Wu Aug 24 '20 at 06:45
The response I am getting from https://login.microsoftonline.com/a002392a-02d6-XXXXXXXX/oauth2/v2.0/token, does no contain id_token, how to enable the same? – Shreyas Holla P Aug 25 '20 at 05:50
1

@ShreyasHollaP Include `openid` in `scope`. For example: `scope=user.read%20openid%20profile%20offline_access`. See https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc. – Allen Wu Aug 25 '20 at 07:07
Thanks again, was able to get id_token after passing openid as scope. – Shreyas Holla P Aug 25 '20 at 07:32
Is there a way to achieve this for a client credential flow when there is no user involved? I want to give access to my API for third party clients, but I need to send a CustomerId in the token, so it only has access to it's own data. – user1784297 Sep 11 '22 at 22:25

How to add a custom claim and retrieve the same as part of access_token, when the scope is not Graph API in Azure AD?

1 Answers1

Linked