Customize your authentication flows with custom claims providers!
Howdy folks,
I’m super excited to announce the public preview of custom claims providers for Azure Active Directory (Azure AD), now part of Microsoft Entra.
A custom claims provider lets you call an API and map custom claims into the token during the authentication flow. The API call is made after the user has completed all their authentication challenges, and a token is about to be issued to the app.
We heard from many of you that you need to return additional claims into the tokens sent to your apps so that they could function as intended. And these claims were being sourced from external systems, for a few reasons:
- You needed to keep sensitive attributes on premises and use Active Directory Federation Services, or other federation services to pass through claims to Azure AD.
- Regulatory requirements prevented you from being able to synchronize these attributes to Azure AD.
- You have complex RBAC models which are stored in external databases.
- You don’t own the app or cannot modify the app to fetch these attributes post authentication.
Now, with custom claims providers, you can source claims from external systems and issue them directly into the token. It allows interfacing with any data store, LDAP, SQL or anything else. A custom claims provider can be setup for your Open ID and SAML apps, and it works in scenarios to authenticate employees, and external identities.
Let’s show you how you can set this up for Contoso’s HR app. In this scenario, Contoso are looking to decouple their HR app from Active Directory Federation Services, and authenticate directly with Azure AD. The HR app expects the user’s employee number to be returned in the token, which is stored in an on-premises Active Directory.
Contoso can configure a custom claims provider to fetch this data and insert it into the token during authentication. Let’s begin setting it up for Contoso’s Azure AD.
In the Enterprise applications menu, the Contoso Admin selects Custom authentication extensions, and then selects Create a custom extension.
They then select TokenIssuanceEvent and select Next.
The admin enters a Name, the API endpoint, and Description for Contoso’s API, and selects Next. The API endpoint would communicate with Active Directory using an LDAP search to fetch the user’s employee number.
Next, the Contoso admin can configure how the custom extension will authenticate to their API. They will select Create new app registration, provide a Name, and select Next. We will use client credentials to authenticate to Contoso’s API. Since Contoso hosts their API using an Azure Functions app, this app registration will be used to protect it automatically.
Then, they configure the attribute name returned by the API to the custom extension. Contoso’s API will return the attribute employeeName. The admin enters employeeName under Claim name, and selects Next.
Now let’s map in the claim for the HR App Registration using the custom claims provider. The Contoso admin navigates to the Enterprise Applications menu, selects their App, selects Single sign-on, and then selects Edit under Attributes and Claims.
The Contoso admin then needs to create a claims mapping to source the employee number from the custom extension by configuring a custom claims provider.
They expand the Advanced menu, and select Configure.
The admin selects Custom claims provider and selects the custom extension that was created earlier, then selects Save.
Finally, the admin selects Add new claim and enters a Name for the claim to be issued into the token. They will then select Attributes under Source, and select the Source Attribute, which will be in the format: customClaimsProvider.attributeName. Then select Save.
Now that’s all done, when a user completes their sign in into the Contoso HR app, the custom extension will be triggered, and the custom claims provider will use the custom extension to add the employee number into the token.
Here’s a diagram showing the flow.
There is a more in-depth video tutorial you can find below: https://youtu.be/BYOMshjlwbc
Custom claims providers is just the first use of a custom extension. We’ll continue to release additional custom extension events, so you can customize your authentication flows even more.
You can read more about custom extensions here and about custom claims providers here. Get started with setting up a custom claims provider here.
As always, we'd love to hear your feedback, thoughts, and suggestions! Feel free to share with us on the Azure AD forum or leave comments below. We look forward to hearing from you.
Best regards,
Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division
Learn more about Microsoft identity:
- Related Articles:
- Return to the Azure Active Directory Identity blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Azure Feedback Forum
Published on:
Learn moreRelated posts
The Best Way to Learn Power Apps, Power Automate & Microsoft Copilot in 2026
Looking for the best live training to master the Microsoft Power Platform? PowerApps911's live, Microsoft MVP-led courses are designed to help...
Power Automate: convertToUtc function
Converts a timestamp from a source time zone to UTC using Windows time zone names.
Batch Operations and Throttling Mitigation in Power Automate
Bundle hundreds of SharePoint writes into a single $batch request to stop hitting throttling limits.
Extending Power Automate Run History Beyond 28 Days Using Cloud Flow Run Metadata
Power Automate has become the backbone for many business processes, integrations, and automation scenarios across the Power Platform ecosystem...
Power Automate – Restore accidentally deleted flows
We are announcing the ability to restore accidentally deleted flows in Power Automate. This feature will reach general availability on July 30...
Power Automate – Review Firewall Configuration for Upcoming Platform Infrastructure Updates
We identified that one or more flows in your environment may be affected by existing firewall or IP allow list configurations. What action do ...
Power Automate – Export work queue items to CSV
We are announcing the ability to export work queue items to CSV in Power Automate. This feature will reach general availability on July 31, 20...
Power Automate – UI automation repair agent
We are announcing the UI automation repair agent in Power Automate. This feature will reach public preview on July 16, 2026. How does this aff...
Power Automate – View machine and flow utilization in dashboards
We are announcing the ability to view machine and flow utilization in dashboards in Power Automate. This feature will reach general availabili...
Power Automate – Build better forms with integrated Power Apps
We are announcing the ability to launch interactive Power Apps directly from desktop flows within Power Automate. This feature will reach gene...