How to get a custom claim inside the access token

Question

How to get a custom claim inside the access token

David De Jaeger 25

Inside the docs there is a detailed explanation on how to add a claim from an external system (https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-tokenissuancestart-configuration?toc=%2Fentra%2Fexternal-id%2Ftoc.json&bc=%2Fentra%2Fexternal-id%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal%2Cworkforce-tenant) . However the claim only gets added inside the id_token. I could not get this inside an access token. For example for a scenario when calling a web api from the SPA. Is this possible?

I could only get this inside the access token when using the a custom attribute in the external tenant as an additional property (https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-define-custom-attributes) and configure this as an optional claim (https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?toc=%2Fentra%2Fexternal-id%2Ftoc.json&bc=%2Fentra%2Fexternal-id%2Fbreadcrumb%2Ftoc.json&tabs=appui ) because you can add these to the manifest but there is not such thing for a customclaimsprovider.

Accepted answer

0 additional answers

Your answer

Answer 1

Hi @David De Jaeger , yes you can do this. This is the general overview:

If you haven't already, you need to create custom attributes in your tenant. These attributes can be used to store additional information about the user. Follow the guide here: Define custom attributes.
You can specify which claims should be included in the access token by configuring optional claims in the app registration: Add or remove optional claims.
If you require more advanced customization, you can create custom policies: Custom policies in Azure AD B2C.
To call an external system to retrieve additional claims and add them to the token, you can use the API Connector feature: Custom claims provider.
Verify that the application manifest is updated to include the optional claims. You can specify the optional claims in the manifest file of the app registration in Entra ID

For example:

{
  "id": "your-app-id",
  "acceptMappedClaims": null,
  "accessTokenAcceptedVersion": 2,
  "knownClientApplications": [],
  "optionalClaims": {
    "idToken": [],
    "accessToken": [
      {
        "name": "extension_yourCustomAttribute",
        "source": null,
        "essential": false,
        "additionalProperties": []
      }
    ],
    "saml2Token": []
  },
  "groupMembershipClaims": null,
  "signInAudience": "AzureADMyOrg",
  "appRoles": [],
  "oauth2AllowImplicitFlow": true,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "allowPublicClient": null,
  "requiredResourceAccess": [],
  "preAuthorizedApplications": []
}

This should work for you, but without seeing your setup it's hard for me to pinpoint the exact problem point. If this still doesn't work please let me know.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Jeff Trotman 6 Reputation points

2025-07-22T18:40:41.49+00:00

I don't think is answering the question, which is basically "can a custom claim provider with Entra External modify the access token, or only the id token?"

The fact that #3 refers to B2C calls the whole answer into doubt. My reason for trying to make this work is that B2C is no longer available for new clients, and this seems to be the successor product's version of token enrichment. A very clear answer letting us know if custom claims providers in Entra External can modify access token, or only the id token is important.

If the answer is no - and workarounds are being offered (not B2C) - please clarify that as well.
Andre Correa 0 Reputation points

2025-08-08T18:13:11.5366667+00:00

I am looking for the same answer.

Share via

How to get a custom claim inside the access token

0 additional answers

Your answer