Entra ID | Custom Claim Provider Token

Florian Gruber 0 Reputation points
2024-01-12T07:15:47.47+00:00

Hello everyone,
I am trying to set up a custom claim provider with the following instructions so that I can enrich the tokens for an app with additional information.
Instructions: https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-get-started
I would like to set ths up for a multi-tenant app.

I set the app to multi-tenant and went through the instructions 1:1.
The azure function returns the json by default without any processing, so that an error source is excluded.
All other things are according to the instructions.
Now, however, if you log in with an external tenant account, the JWT is generated, but without the custom claims.
When I log in with an account from the origin tenant, I get the error message non-retryable error has occured.
In the application details in entra, the application shows that it has failed due to error message 1003006. (CustomExtensionInvalidResponseContentType) The azure function response with the following json. 

{"data":{"@odata.type":"microsoft.graph.onTokenIssuanceStartResponseData","actions":[{"@odata.type":"microsoft.graph.tokenIssuanceStart.provideClaimsForToken","claims":{"DateOfBirth":"01/01/2000","ApiVersion":"1.0.0","CustomRoles":["Writer","Editor"]}}]}}

Now I am wondering why the claim provider is apparanetly only called up for the origin tenant, causing a error here, and why a JWT is received when logging in with an external tenant account and apparently the claim provider is not called up, because the claims are missing.

Thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,535 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 21,776 Reputation points Microsoft Employee
    2024-01-17T19:46:53.0033333+00:00

    Hi @Florian Gruber , it seems like there might be an issue with the configuration of your custom claim provider. Make sure that you have registered your custom claim provider correctly in Azure AD. You can do this by following the instructions in the link you provided. Ensure that your custom claim provider is returning the correct response format. The response should be in the format of a JSON object with an array of actions. Each action should be an object with a type and a set of claims. It's also possible that there may be an issue with the permissions of the user account you are using to test the custom claim provider. Make sure that the user account has the necessary permissions to access the custom claim provider. For the origin tenant, it's possible that there may be an issue with the configuration of the custom claim provider for that tenant. You may want to double-check the configuration and ensure that it is set up correctly. If you are still having issues, you may want to check the logs of your custom claim provider to see if there are any errors or issues that are being logged. This can help you identify the root cause of the issue. If you're still having issues please let me know and I can open a support ticket for you. Please let me know if you have any questions and I can help you further. If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments