0

I have added about 18 extension claims to my access token. Based on the application state you may get different claims from this list. I'm sure that those claims have some values assigned. But for some reason, I'm not receiving all of them as part of my JWT Access token. I can get these values using graph API.

Example of extension claim from jwt token:

"extn.***_**_CreatedDate": [
"30/09/2022 12:21:01 PM +00:00"]

Example of application manifest token configuration:

    "optionalClaims": {
    "idToken": [
        {
            "name": "extension_someguid_***_***_CreatedDate",
            "source": "user",
            "essential": false,
            "additionalProperties": []
         }]
        }

Are there any limits on clams/extension claims count added to AAD access token?

Oleksandr Humeniuk
  • 11
  • 1

1 Answers1

0

If application sends the claims with data in the form of extension attribute registered on a different application, a claims mapping policy must be used to map the extension attribute to the claim.

New-AzureADPolicy -Definition @('{
"ClaimsMappingPolicy":
{"Version":1,
"IncludeBasicClaimSet":"true", 
"ClaimsSchema": [
{
"Source":"user",
"ID":"employeeid",
"SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid","JwtClaimType":"employeeid"
},
{
"Source":"company",
"ID":"tenantcountry",
"SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country",
"JwtClaimType":"country"}]}}')
 -DisplayName "ExtraClaimsExample" 
-Type "ClaimsMappingPolicy"

enter image description here

  • accesstokenAcceptedVersion must be set to supported value 1, 2, or null , depends on the issuer enpoint obtained from the token.
  • "acceptMappedClaims" must be set to true, for single tenant app.

Also do make sure to give claims under accessToken in manifest .

enter image description here

Note:

  1. If want to have the claims in the access token then you may need to modify the manifest of the resource app. i.e.; If you have an web App that calls Web API B and you want the claims in the access_token then you need to modify the manifest of web api B.
  2. Only extension attributes on user objects can be used for emitting claims to applications.

When adding claims to the access token, the claims emitted are for a web API and not requested by the application. So you will be able to see only claims emitted are for access tokens requested for the application webApi.

Reference: Use Azure AD directory extension attributes in claims - Microsoft Entra | Microsoft Learn

kavyaS
  • 8,026
  • 1
  • 7
  • 19