When using Custom Domain , is there a claim that will reflect the custom domain the identity is assigned?

Question

When using Custom Domain , is there a claim that will reflect the custom domain the identity is assigned?

Martin Kallukalam 365

Scenario:
I have 3 custom domains

domain1

domain2

domain3

Is there a way to get the domainname as a claim in id token and access token when a user gets a token using interactive login (auth code grant flow)

Martin Kallukalam 365 Reputation points

2025-04-17T19:45:32.66+00:00

fyi. I understand domain name comes as part of the unique name/upn but I am looking at ways where the claim is explicit like the realm claim in oidc
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-22T12:11:32.2933333+00:00

Hello @Martin Kallukalam,

I am following up to check whether if you had a chance to review my below answer and please let me know if you have any queries.

I will be happy in answering to your queries.
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-23T08:56:44.97+00:00

Hello @Martin Kallukalam,

Since we didn't receive your response on my below answer, I am following up to check whether if you had a chance to review my below answer and please let me know if you have any queries.

I will be happy in answering to your queries.
Martin Kallukalam 365 Reputation points

2025-04-23T12:42:16.4066667+00:00

I did review the response and I do have couple of follow up Qs. I will post them shortly.
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-25T05:07:02.9933333+00:00

Hello @Martin Kallukalam,

Thank you for your response.

Please post your queries here so that I can review it and answer your queries accordingly.
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-28T03:25:15.5966667+00:00

Hello @Martin Kallukalam,

I am following up to check whether if you have any additional queries, please post your queries here so that I can look into it and answer your queries accordingly.
Rukmini 1,796 Reputation points Microsoft External Staff Moderator

2025-05-08T06:54:06.25+00:00
Hello @@Martin Kallukalam,

In Microsoft Entra ID, there is no built-in claim that explicitly returns the custom domain name (like domain1.com, domain2.com, etc.) as a standalone claim in the ID or access token by default—particularly when the user is cloud-only (i.e., created directly in Azure AD without federation).

Hence as a workaround you can extract Domain from UPN or create a custom extension attribute (via Microsoft Graph), assign the domain explicitly to the user, and then expose that claim in the token.

Workaround 1: Extract Domain from UPN

Configure UPN as optional claim:

Grant API permissions like below:

Generated access and ID tokens:

GET https://login.microsoftonline.com/organizations/oauth2/v2.0/token client_id: ClientID grant_type: authorization_code scope: api://xxx/domain.read openid redirect_uri: RedirectURl code: Code client_secret: Secret

And UPN will be displayed in tokens, and the domain can be extracted in your app logic using string manipulation and you can do this client-side or server-side:

For sample:

const upn = tokenClaims.upn || tokenClaims.preferred_username; const domain = upn?.split('@')[1];

Access Token:

In ID token also UPN will be displayed.

Workaround 2: Create a custom extension attribute, assign the domain explicitly to the user.

Create a custom extension attribute:

POST https://graph.microsoft.com/v1.0/applications/ObjectID/extensionProperties Content-Type: application/json { "name": "customDomain", "dataType": "String", "targetObjects": [ "User" ] }

Set the Custom Domain for Each User:

PATCH https://graph.microsoft.com/v1.0/users/UserId Content-Type: application/json { "extension_{appClientId}_customDomain": "domain1.com" }

Configure optional claims in Microsoft Entra ID application:

Generated tokens and now you custom claim extn.customDomain in the access and ID tokens:

Access Token

Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Rukmini 1,796 Reputation points Microsoft External Staff Moderator

2025-05-09T03:48:40.1266667+00:00

Hello @@Martin Kallukalam, Did you get a chance to verify my comment and let me know if its helpful?

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.

1 answer

Your answer

Martin Kallukalam 365 Reputation points

2025-04-17T19:45:32.66+00:00

fyi. I understand domain name comes as part of the unique name/upn but I am looking at ways where the claim is explicit like the realm claim in oidc
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-22T12:11:32.2933333+00:00

Hello @Martin Kallukalam,

I am following up to check whether if you had a chance to review my below answer and please let me know if you have any queries.

I will be happy in answering to your queries.
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-23T08:56:44.97+00:00

Hello @Martin Kallukalam,

Since we didn't receive your response on my below answer, I am following up to check whether if you had a chance to review my below answer and please let me know if you have any queries.

I will be happy in answering to your queries.
Martin Kallukalam 365 Reputation points

2025-04-23T12:42:16.4066667+00:00

I did review the response and I do have couple of follow up Qs. I will post them shortly.
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-25T05:07:02.9933333+00:00

Hello @Martin Kallukalam,

Thank you for your response.

Please post your queries here so that I can review it and answer your queries accordingly.
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-04-28T03:25:15.5966667+00:00

Hello @Martin Kallukalam,

I am following up to check whether if you have any additional queries, please post your queries here so that I can look into it and answer your queries accordingly.
Rukmini 1,796 Reputation points Microsoft External Staff Moderator

2025-05-09T03:48:40.1266667+00:00

Hello @@Martin Kallukalam, Did you get a chance to verify my comment and let me know if its helpful?

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.

Answer 1

Sanoop M 2,835 Microsoft External Staff Moderator

Hello @Martin Kallukalam,

Please note that we can pass email id, UPN, family_name, Onprem_sid, etc as a claim in ID token as well as Access token, but specifically we cannot pass the domain name as a claim in ID token and Access token.

Please note that the only way to get the domain names is to pass UPN/Email ID as Claims and get the domain name from that passed claims.

Please refer to the below documents to know in detail about Access tokens and ID tokens.

Access tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn

ID tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn

Tokens and claims overview - Microsoft identity platform | Microsoft Learn

I hope the above provided information is helpful. Please let me know if you have any additional queries.

Martin Kallukalam 365 Reputation points

2025-04-29T19:13:36.7333333+00:00
When you say get the domain name from the passed claims..do you mean extract the domain name from claim in the application code?

Or does Azure AD have a way to do that and include the domainname as a claim?

How about the attribute user.dnsdomainname
Sanoop M 2,835 Reputation points Microsoft External Staff Moderator

2025-05-06T13:28:49.73+00:00

Hello @Martin Kallukalam ,

Thank you for your response.

Yes the only way to get the domain name from the passed claims is to extract the domain names from the application code.

The user.dnsdomainname attribute typically refers to the domain name associated with the user's account in an On-Premises Active Directory. In authentication and authorization processes, particularly within federated identity solutions or Single Sign-On (SSO) setups, this attribute user.dnsdomainname can be passed in claims to identify the user's domain.

Below is the Screenshot of some of the attributes which can be passed in claims and their description. I have highlighted the description of the User.dnsdomainname attribute.

Please let me know if you have any other queries.
Martin Kallukalam 365 Reputation points

2025-05-06T18:03:58.68+00:00

If user.dnsdomainame is only reliable if the user gets authenticated via a federated system, how do I get the domain name when there is no federation, such as user identity is created on Azure AD and user is authenticating using those credential that exists on azure ad ?

Share via

When using Custom Domain , is there a claim that will reflect the custom domain the identity is assigned?

1 answer

Your answer