I'm in the process of migrating a .NET application from IdentityServer4 to Entra ID. The app is multi-tenant, and it passes some configuration values set at the tenant level (such as a time zone ID) to its backend via user claims. I'm trying to support the same scenario in Entra ID, so the objective is to add claims to the access token which are configured at the tenant level. From my research, it looks like directory extensions may support this scenario.
I've found that I can indeed add custom claims to the access token, provided that the directory extension the claim value is taken from is defined on the user object. The ones I've defined on the organization object are not accessible from the Entra ID admin center, and when I add them to the application manifest directly they are not used. Specifically, in this test the optionalClaims property in my application manifest was configured like this:
"optionalClaims": {
"idToken": [],
"accessToken": [
{
"name": "extension_00000000000000000000000000000000_losType",
"source": "organization",
"essential": false,
"additionalProperties": []
},
{
"name": "extension_00000000000000000000000000000000_timeZoneId",
"source": "organization",
"essential": false,
"additionalProperties": []
}
],
"saml2Token": []
}
It looks like I can add arbitrary claims to the token by setting up a claims provider which Entra ID will make HTTP requests to for additional claims. I'd like to avoid this complexity if possible. So is there another way to get these tenant-level claims into a user's access token?