This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 30%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Hi,
I've created a C# Azure Functions project using Visual Studio Code and successfully deployed it to my Function App. Then, I created a Custom Authentication Extension in Entra External ID for the TokenIssuanceStart event, using the Function URL as the endpoint and for api authentication i have created an app registration and assigned it the microsoft graph api app permission: CustomAuthenticationExtension.ReceivePayload.
The extension shows up correctly under External Identities → Custom authentication extensions, so it seems to have registered fine.
custom_authentication_extension_screen.jpeg
However, when I go into:
Click “When a user submits their information”
…the dropdown field to select an authentication extension is empty, and nothing shows up for me to choose.
userflow_customauthenticationselection_screen.jpeg
I’ve tried:
Logging out/in
Incognito mode
Deleting and recreating the extension from scratch
Still no luck. The extension exists and is visible in the main portal, but not selectable inside the user flow.
Any help or insights would be greatly appreciated, as i am unable to test my authenticatione xtnesion which is barring me from validating user migration working with the new functions project (code driven) vs custom policies.
Thanks in advance.
Ray
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 74%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hello @Ray Garg,
In the Custom Authentication Extension screenshot I see that the event defined is TokenIssuanceStart.
And under User flow “When a user submits their information” is being selected, if your User Flow is set to trigger for this option then you would need to define extension for the event "OnAttributeCollectionSubmit". Extensions configured for different events won't appear in the dropdown.
OnAttributeCollectionSubmit event occurs after the user enters and submits attributes.
OnTokenIssuanceStart event is triggered just before a token is issued to the application.
Kindly refer document: Concept-custom-extensions
If your user flow is set to trigger at “When a user submits their information” we would advise to configure extension for events OnAttributeCollectionStart and OnAttributeCollectionSubmit events. Please refer document : Custom-Authentication-extension-attribute-collection
@Jyotishree Moharana hello. are you saying that the OnTokenIssuanceStart event is automatically triggered every time for each of my user flows without e even selecting it for that user flow??? because i havent assigned the authentication extension OnTokenIssuanceStart to my user flow yet. im just wondering on how to assign it properly.
OnTokenIssuanceStart is triggered only after the user has completed all of the authentication challenges and when the token is about to be issued. This is triggered automatically when the token is about to be issued and the token will then contain a default set of claims. If there are some additional custom claims that you want to add to the token you can then configure the extension for the token issuance event.
To configure extension for this event you'll need to create a REST API and then configure claims provider.
Custom-extension-tokenissuancestart-setup-RESTAPI
Custom-extension-tokenissuance-configure-claim-provider
The dropdown inside User Flow will contain only those extensions which were defined for the corresponding event being selected in User Flow.
@Jyotishree Moharana i already have created a TokenIssuanceStart extension. i have an azure function project deployed as a function in my function app. i am using that function url as the endpoint url in the tokenissuance extension. now, i just wanted to know what claims were included in the token by default, and also, would groups and role (app roles, etc) claims be automatically included in the token by editing the app manifest of the app registration being used for api authentication by the tokenissuance extension? if so what needs to be edited in that manifest exactly so that app registratioon will include the group and role claims in the token automatically?
One final question i have is for azure ad b2c. right now ive been talking about entra external id, but when it comes to azure ad b2c, what is the way to emit group/app roles in the token, would my custom policy have to handle that?
Default claims in the token would be below:
sub: The unique identifier for the user.
iat: The time the token was issued.
exp: The expiration time of the token.
aud: The audience for the token.
iss: The issuer of the token.
preferred_username: The username or the email address of the user.
oid: The Object ID of the user in Azure AD.
upn: The User Principal Name.
acr: The authentication context class reference, indicating the level of authentication.
The group claim also does get included in the token by default given the number of groups is less than 200, if it exceeds 200 then by default Entra ID will not include group claims directly in the token because it could potentially be too large.
To include group and role claims in the token, you can add the below in the manifest.
"groupMembershipClaims": "All" // Options: None, All, SecurityGroup
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Admin",
"id": "guid-unique-id-here",
"isEnabled": true,
"description": "Administrator role",
"value": "Admin"
}
]
Do make sure that the app roles are properly defined under API permissions in the App Registration and the user has the appropriate role assigned.
Incase of Azure AD B2C, adding group and role claims is required to be taken care via custom policy. You can modify the TrustFrameworkExtensions.xml file to include group claims. You may use the <OutputClaim> element to extract group information and add it to the issued token.
<OutputClaim ClaimTypeReferenceId="groups" />
<OutputClaim ClaimTypeReferenceId="roles" />
Hello Ray,
Following up to check if the information provided was useful. If you have any further questions or queries, do let us know.
Hello Ray,
Following up to check if the information provided was useful. If you have any further questions or queries, do let us know.
@Jyotishree Moharana HI, sorry aboutthe delay in my esponse things got hectic with the RSA conference. can you please inform me for azure ad b2c, is there a specific technical profile to retrieve groups or app roles? becuase it would need to be retrieved from the users profile, and im not sure if groups and app roles are stored as regular attributes for users., where i can just include is an output claim in userreadusingobjectid and output the claims in this technical profile in the custom policy.
i also have an additional question im wondering if you can enforce the concept on for me. right now my approach is that i am pre migrating users with random passwords. all of my user profiles are stored in a json file in my migration code project. when i run pre migration, it will migrate all of the user objects inside the json one by one. right now i have an extension attribute assigned to each user profile in the json. now i tested for entra external id, where i created 3 groups in the external id tenant. when i run pre migration, my logic evaluated what the value of the extension attribute is, and based on that value assigns the user to the respective group out of the 3 groups. i believe i should be able to do this for azure ad b2c as well but please confirm if there are any additional details i need to know about. where would i create the app roles for azure ad b2c? is there any documentation for how to create app roles? and how can i achieve the logic, that once the users are assigned in certain groups, that specific app roles can be enforced for those users. i dont want to overwhelm and keep typing so ill say this much for now but if you ned me to go more into detail i will, once you understand what i need clarifications on
Azure AD B2C does not natively return groups or app roles in the token. The group and app role claims are not part of the user object returned by the standard Graph API endpoints used in B2C custom policies.
You'll need to query Microsoft Graph in a custom RESTful technical profile and retrieve the required details.
For Group memberships use: /users/{id}/memberOf
For App roles use: /users/{id}/appRoleAssignments
You can then add these as output claims to include in the token.
To create app roles in your apps.
In your B2C tenant, go to the app registration of the required app, go to app roles and create the role as required. Once created the app role can be assigned to users or groups through enterprise application. Once users are in groups, and those groups are assigned app roles, Entra ID will issue app roles in the token if the user is part of a group assigned the role.
Please refer document: Howto-add-app-roles-in-apps