There are 4 types of extension attributes
- Extension attribute 1-15. This is a legacy borrow from on-prem extension attribute introduced by Exchange
- Directory Extension (tied to an application, but can be consumed by other applications)
- Schema Extension (tenant-wide)
- Open Extension
Please see https://learn.microsoft.com/en-us/graph/extensibility-overview
How to include "directory extension attribute" (type #2 above) in claims
- need to use Graph API to create claim mapping policy
- use below POST command and JSON body of the Graph call
POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
{"definition": ["{\"ClaimsMappingPolicy\": {\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"extension_hostingAppID_deviceID\",\"JwtClaimType\":\"deviceID\"}]}}"],"displayName": "IncludeDeviceID","isOrganizationDefault": false}
- Make a note of returned policy ID for steps followed
- make a POST call as below to assgin the policy to consuming app
command: POST
https://graph.microsoft.com/v1.0//servicePrincipals/{id}/claimsMappingPolicies/$ref
where ID is objectID of SPN
Body
{"@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/policyID"} // where id is policy ID
- Pay attention to different GUID used. In the actual policy, appID of hosting app is used(remove dashes); In POST command, objectID of consuming app is used
- Last step, enable app to accept custom claim
PATCH https://graph.microsoft.com/v1.0/applications/{objID of app}
Content-type: application/json
{
"api": {
"acceptMappedClaims": true,
"requestedAccessTokenVersion": 2
}
}