Can I add a custom static claim to auth tokens with a AAD OIDC app registration?

Question

I have a basic Azure AD App Registration. This is a non-interactive client IE console/machine client with a secret and no redirect URI. I would also like this to also work for interactive clients however.

How can I add a claim to my token called "hello": "world"?

Answer 1

To add a custom claim like "hello": "world" in the token, you can create claim mapping policy using PowerShell.

1)Make sure to have AzureADPreview module installed, before running below commands.

Connect-AzureAD
New-AzureADPolicy -Definition @('
{
    "ClaimsMappingPolicy":
    {
        "Version":1,"IncludeBasicClaimSet":"true", 
        "ClaimsSchema": [{"Source":"user","ID":"extensionattribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/hello","JwtClaimType":"hello"}]
    }
}') -DisplayName "HelloExtraClaim" -Type "ClaimsMappingPolicy"

Output:

2)Note the ID of the policy and assign it to your service principal using below command:

Add-AzureADServicePrincipalPolicy -Id serviceprincipal_ObjectID -RefObjectId policy_ID

3)To confirm whether the policy is assigned or not, run below command:

Get-AzureADServicePrincipalPolicy -Id serviceprincipal_ObjectID

Output:

4)To assign value to that claim, sign in as admin to Microsoft Graph Explorer and run the below query:

PATCH https://graph.microsoft.com/beta/me
{
"onPremisesExtensionAttributes": 
    {
        "extensionAttribute1": "world"
    }
}

Response:

5)Make sure to set "acceptMappedClaims": true in App's Manifest like below:

Go to Azure Portal -> Azure Active Directory -> App registrations -> Your App -> Manifest

6)Go to Expose an API tab and set Application ID URI to your domain like below:

7)Generate a token to your application by signing with admin account.

After decoding the above ID token in jwt.ms, I got the claim "hello": "world" successfully as below:

Credits: How to add custom user defined claims to azure ad token | GitHub by TiagoBrenck