Adding Azure Ad Oauth2 JWT Token Claims

Question

I was just wondering if there is a way to add or specify custom claims to the Azure Ad OAuth2 JWT token via Azure Portal? Or is this only possible code side?

Answer 1

As far as I know, the Azure AD doesn't support to issue the custom claim at present.

As a workaround, we can use the Azure AD Graph to add the directory schema extensions. After that, we can use the Azure AD Graph to get the data extension and add the custom claim when the security token is verified like code below:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        Authority = authority,
        PostLogoutRedirectUri = postLogoutRedirectUri,
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthenticationFailed = context => 
            {
                context.HandleResponse();
                context.Response.Redirect("/Error?message=" + context.Exception.Message);
                return Task.FromResult(0);
            }
            ,
            SecurityTokenValidated = context =>
            {
                //you can use the Azure AD Graph to read the custom data extension here and add it to the claims 
                context.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim("AddByMe", "test"));
                return Task.FromResult(0);
            }
    });

In addition if you have any idea or feedback about Azure, you can submit them from here.

Answer 2

I believe that you could get an example on how to set additional claims (Role claims for instance) by reading the How to run the sample as a single-tenant app part of the Authorization in a web app using Azure AD application roles & role claims Azure-AD sample. This requires editing the Azure-AD application manifest to add application roles. Then assign different roles to different users in the directory