4

I was just wondering if there is a way to add or specify custom claims to the Azure Ad OAuth2 JWT token via Azure Portal? Or is this only possible code side?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
H4p7ic
  • 1,669
  • 2
  • 32
  • 61

2 Answers2

1

As far as I know, the Azure AD doesn't support to issue the custom claim at present.

As a workaround, we can use the Azure AD Graph to add the directory schema extensions. After that, we can use the Azure AD Graph to get the data extension and add the custom claim when the security token is verified like code below:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        Authority = authority,
        PostLogoutRedirectUri = postLogoutRedirectUri,
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthenticationFailed = context => 
            {
                context.HandleResponse();
                context.Response.Redirect("/Error?message=" + context.Exception.Message);
                return Task.FromResult(0);
            }
            ,
            SecurityTokenValidated = context =>
            {
                //you can use the Azure AD Graph to read the custom data extension here and add it to the claims 
                context.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim("AddByMe", "test"));
                return Task.FromResult(0);
            }
    });

In addition if you have any idea or feedback about Azure, you can submit them from here.

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • Ok, i understand, that can maybe be an option for me. but what i am looking for is to include a deviceID claim in the jwt token issued by azure AD. and i found some information about it here: https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/azure-active-directory-integration-with-mdm Under the topics: "Terms of Use protocol semantics" and "Management protocol with Azure AD" Is this only applyable for a BYOD subscription or am i missunderstanding this? @FeiXue Thanks for the answer btw :) – H4p7ic Feb 27 '17 at 13:25
  • @John Thanks for sharing the answer with us. I suggest that you compose a post and mark it as answer so that others who have the same issue could recolonize it easily and could benefit from it:) – Fei Xue Feb 28 '17 at 01:28
  • sorry maybe i was a bit unclear in my question above. I hadn't found the solution, I was simply asking in referencing the link above: Am I able to include device-id in the claims of the bearer token, or is this only possible in a BYOD subscription? Best Wishes. :) – H4p7ic Feb 28 '17 at 21:54
  • Sorry for the confutation. I suggest that you reopen an new thread about MDM since I am not familiar with it. – Fei Xue Mar 01 '17 at 06:45
0

I believe that you could get an example on how to set additional claims (Role claims for instance) by reading the How to run the sample as a single-tenant app part of the Authorization in a web app using Azure AD application roles & role claims Azure-AD sample. This requires editing the Azure-AD application manifest to add application roles. Then assign different roles to different users in the directory

Jean-Marc Prieur
  • 1,553
  • 11
  • 11
  • Well, I don't think it is valid to say "custom" in a context of Roles claims. As for literally **custom** claims - that is not possible to achieve. – user7567234 Feb 26 '17 at 08:55