0

I want to have an extra claim say "mygroupsrmm" in my jwt token which I want to view post decoding the token. I am trying to add custom claims to my jwt token which I will receive post authentication using Oauth2 flow. I've already modified application manifest file for registered AAD app with

"acceptMappedClaims": true

& followed below steps:

//Step1 - Created custom policy

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"extensionattribute2","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rmmgname","JwtClaimType":"mygroupsrmm"}]} }') -DisplayName "MyGroupsRMMExtraClaims" -Type "ClaimsMappingPolicy"

//Step2 - assigned policy to my AAD registered app

$appID = <> $sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')" $policyId = <> Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policyId

Above both steps are successful, now I went ahead with authentication calls

//Step3 : GET /authorize API call

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=my-application-id-registered-in-AAD& redirect_uri=http://localhost:3000/callback&scope=openid%20profile%20email%20offline_access%20User.Read%20Files.Read

From this step, authorization code is received, which is passed on to the /token API call

//Step4: POST /token call

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<<my-application-id-registered-in-AAD>>
&client_secret=<<client-secret-value-here>>
&code=<<code-received-from-step3>>
&redirect_uri=http://localhost:3000/callback

The above call is successfully executed & returned both access_token & id_token But post decoding token I'm unable to view my added custom claims i.e "mygroupsrmm" (viewed decoded token through jwt.io)

On checking my user details from Graph explorer, "extensionattribute2" is null, so for this key field tried updating the value using

//Step5: Navigate to Microsoft Graph Explorer & execute the call

/PATCH https://graph.microsoft.com/beta/me
body
{
    "onPremisesExtensionAttributes": {
        "extensionAttribute2": "myrmm-g2"
    }
}

Above call throws

"Forbidden - 403 - 492ms. You need to consent to the permissions on the Modify permissions (Preview) tab"

while on viewing "Modify permissions (Preview)", all the required permissions i.e User.ManageIdentities.All, User.ReadWrite.All, User.ReadWrite, Directory.ReadWrite.All, Directory.AccessAsUser.All are already granted(Consented)

//response
{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2021-02-23T12:08:05",
            "request-id": "06ddd00b-db0f-4a7c-ae03-471763139939",
            "client-request-id": "c07843cf-89d4-10a7-89fa-f3b71445bc1f"
        }
    }
}

Authorization token used for above request contains below consented permissions/scopes

"scp": "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All OnlineMeetings.ReadWrite openid profile User.ManageIdentities.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All email"

Since above request is failed, I've tried modifying another user object key value i.e jobTitle to check user update response

/PATCH https://graph.microsoft.com/beta/me
{ "jobTitle" : "sr.mts"}

This call too throws 403 error with code Authorization_RequestDenied

I would like to know what specific permission is required to set values for above keys i.e jobTitle or extensionAttribute2 to view the custom claim key-value in decoded jwt token. Any sort of assistance will be greatly appreciated.

Improve this question
6
  • Are you an administrator? Commented Feb 23, 2021 at 13:42
  • No, I'm not an administrator, but my admin has given consent for all the required permissions i.e, User.ManageIdentities.All, User.ReadWrite.All, User.ReadWrite, Directory.ReadWrite.All, Directory.AccessAsUser.All Commented Feb 23, 2021 at 13:52
  • You must be an administrator to modify this attribute. I have tested it just now. Commented Feb 23, 2021 at 13:57
  • Alright let me ask the admin to modify this attribute and check again Commented Feb 23, 2021 at 14:00
  • Okay, try to grant your user the global administrator role. Commented Feb 23, 2021 at 14:03

1 Answer 1

Reset to default
1

You must be an administrator to modify this attribute. I have tested it just now.

enter image description here

Update : Post assigning Directory writer role to the AAD user, above issue is fixed. See here for success calls

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Hi @Carl, thankyou for your response, can you check once with this {"onPremisesExtensionAttributes": {"extensionAttribute2": "myrmm-g2"}}
@AmritPalSingh I tried it with {"onPremisesExtensionAttributes":{"extensionAttribute2":"myrmm-g2"}} as the request body, and it returned 400 to me. i.sstatic.net/1rfBh.png. I'm not sure if you can change the onPremisesExtensionAttributes attribute because I don't see it in the request body of the api document of the Update user.
@AmritPalSingh Did you try to grant the user the administrator role and then test it? How is the result?
I've tried same request, but it returned 405 to me (imgur.com/a/n6yJBSC)
@AmritPalSingh This is very strange, I did not encounter this error, is your account a work or school account? Try using other api tools such as postman.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.