0

I have followed the below stackoverflow link ( The answer provided by Allen Wu) How to add a custom claim and retrieve the same as part of access_token, when the scope is not Graph API in Azure AD?

to add a custom claim in access token. But I am getting an error when I am trying to

Assign the claimsMappingPolicy to a servicePrincipal.

I have opened microsoft graph and executed a POST call like so -

https://graph.microsoft.com/v1.0/servicePrincipals/8b6e2827-b3fa-467b-940d-324c301ca606/claimsMappingPolicies/$ref

with the request body

{
"@odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/fce7f260-9598-426d-b8c2-7e589b25415b"   
}

but I am getting a 409 Response code with the following response preview :

{
    "error": {
        "code": "Request_MultipleObjectsWithSameKeyValue",
        "message": "Request contains property changes that would result in property-uniqueness violation(s). Please retry your request with corrected values.",
        "innerError": {
            "date": "2020-10-18T06:32:23",
            "request-id": "ae69cb4f-716d-4d56-a123-572c76ace2e0",
            "client-request-id": "29b0130e-8b7a-d09d-1188-2856c99dad8e"
        }
    }
}
Allen Wu
  • 15,529
  • 1
  • 9
  • 20
debanka
  • 187
  • 1
  • 4
  • 13

1 Answers1

0

It means the servicePrincipal has been assigned a claimsMappingPolicy.

If you assign another claimsMappingPolicy to it, you will get the 409 Conflict error.

You need to List assigned claimsMappingPolicy first and then Remove claimsMappingPolicy.

Now you can assign claimsMappingPolicy to the servicePrincipal.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Thanks, @Allen , but the new claim is coming under id_token and not access_token. Any ideas on that. I need a few custom claims to be under access_token. – debanka Oct 19 '20 at 05:37
  • @debanka Are you sure? But it should be in the access token based on my previous answer. Make sure you finished all the steps. – Allen Wu Oct 19 '20 at 05:45
  • in your previous answer you mentioned using ROPC grant flow , I am using authorizing grant flow using PKCE. So first I get a auth.code and then I exchange the auth code with the access_token , refresh_token and id_token. The problem is I am getting custom claims in the id_token always. – debanka Oct 19 '20 at 06:10
  • @debanka I will have a test for you and keep posted here. – Allen Wu Oct 19 '20 at 06:20
  • @debanka Based on my test, authorizing grant flow using PKCE also works. I think I have known the reason. You need to acquire the access token for the servicePrincipal (service API). You should not use the servicePrincipal as the client app to get the token. See this screenshot: https://i.stack.imgur.com/NkIWg.png. The id in `scope` is the client id of the servicePrincipal. You should use another Azure AD app to get the access token for it. – Allen Wu Oct 19 '20 at 06:53
  • thanks for the update @Allen, in your screenshot the client id and the id in your scope is not same. So can you tell me how can I get the client id of the service principal? or is that same as the client id? – debanka Oct 19 '20 at 08:13
  • @debanka They are not the same. You need to learn about how to protect you web api with AAD. You can refer to this answer: https://stackoverflow.com/questions/64268984/authentication-to-azure-ad-protected-app-using-id-token?answertab=votes#tab-top. You need to register 2 Azure AD apps, one is for client app (front) and the other is for API app (backend). – Allen Wu Oct 19 '20 at 08:28
  • @debanka In this case, servicePrincipal is the API app (backend). So in my screenshot the id in `scope` is the client id of the API app (backend), and the "client id" is the client id of client app (front). You can find them in Azure Active Directory -> App registrations. – Allen Wu Oct 19 '20 at 08:29
  • Thanks @Allen , so I have created 2 Azure AD apps one client-app(front-end) and one backend-app. So now if I want to have a custom claim in my access token , as per your answer in the link https://stackoverflow.com/questions/63483491/how-to-add-a-custom-claim-and-retrieve-the-same-as-part-of-access-token-when-th when I will Assign the claimsMappingPolicy to a servicePrincipal , I should use the servicePrincipal of the backend-app right? – debanka Oct 19 '20 at 11:29
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/223286/discussion-between-debanka-and-allen-wu). – debanka Oct 19 '20 at 11:55