Reputation: 188
Adding custom claims into AAD token
Is it possible, while acquiring an access_token (Client Credentials grant), to instruct AAD to inject certain custom claims with certain values into the access_token being issued?
I need it to avoid sending extra context information to my service through such a "disconnected" means as HTTP Header for instance. Instead I want the token signed by AAD and containing everything AAD stamps into it by default plus some small pieces of information controlled by the application acquiring the token. All this will help my service to apply proper authorization once this token is received by the service.
Upvotes: 4
Views: 1537
Answers (2)
Reputation: 690
I looked at the above, and I am clear that you are not looking for claims augmentation as it was described in the blog. As I understood, you are looking for the right way to authorized your application using AAD tokens. If my understanding is correct here is my answer.
It took me quite sometime to remember how I did it before and the caveat was missing the graph permissions for:
Directory.AccessAsUser.All
Directory.Read.All
Directory.ReadWrite.All
Now let me type down the steps one by one, but care less to the order of these steps may not be correct, just do the steps in any order you want.
Step 1: In AD, in the App registration Register your Web Application, Copy the Client_ID
Step 2: Go to Expose an API Add a scope or more (This is what you are going to see as a claim and role in the token) Add the client Client_ID
Note: this is basically for 2 applications one calling another, but in this example and your case, you have one web application that needs to authorize on itself.
Next: In the API permissions When needed, grant admin consent delegated permissions for MicrosoftGraph
Directory.AccessAsUser.All
Directory.Read.All
Directory.ReadWrite.All
Additionally: Give permission to the scope that you added.
Then: In the App roles: Add the Application roles
Then: In the Enterprise Applications: Assign that role to the users or groups that you want to access this.
Finally: In the application configuration file Update the Client id You are done. I hope that was what you were looking for.
Upvotes: 1
Related Questions
- Azure AD Custom Claims in JWT
- AzureAD Custom Claims in token
- Can I add a custom static claim to auth tokens with a AAD OIDC app registration?
- How to add optional claims to Azure Active Directory
- How to add custom claims to Azure AD authenticated user in ASP.Net Core application?
- Adding Custom Claims to AspNetCore Azure Authenticated Application
- Adding Custom Claim to AAD OpenIDConnect Authenticated User
- Custom claims for azure ad app
- asp.net identity: after authentication, add custom user claims to a token provided by AAD
- How do I add custom claims to an ACS Service Identity