Share via

When an application requests a token via client credentials and a custom scope, how can I get the name of the app registration included in the auth token?

Robert Vedin 20 Reputation points
2025-01-31T11:42:58.4066667+00:00

We have a custom API with a custom scope, to be able to assign specific app roles to applications calling our API.

The calling applications always has an app registration with the assigned app roles, and they use the client credentials flow to get an access token to be able to call the API. There are never any users involved.

The payload of the access token presented to our application looks like this:

{
  "aud": "https://---our-api----",
  "iss": "https://sts.windows.net/-----/",
  "iat": 1738316411,
  "nbf": 1738316411,
  "exp": 1738320311,
  "aio": "----",
  "appid": "---client id of calling app registration---",
  "appidacr": "1",
  "idp": "https://------/",
  "oid": "---object id of service principal for caller---",
  "rh": "-----",
  "roles": [
    "----------------read-all",
    "----------------check",
    "----------------write-all"
  ],
  "sub": "---object id of service principal for caller---",
  "tid": "--------------------------------",
  "uti": "--------------------------------",
  "ver": "1.0"
}

However, we also need to know the name of the app registration.

When getting a token for MS Graph, a claim is included with the name appname or app_displayname, but there does not seem to be any way to include that claim for a custom api.

The optional claims one can add does not seem to include the name of the app registration, only the displayname of the user, which is not involved in our scenario.

Is there any way to get the name of the app registration as a claim in our access token?

Sincerely Robert

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,147 questions
0 comments
Accepted answer
  1. Kancharla Saiteja 385 Reputation points Microsoft Vendor
    2025-02-03T12:11:36.0133333+00:00

    Hi Robert Vedin,

    Hi, Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on your query, here is my understanding: You would like to pass application display name as a claim for client credential flow application.

    I see you have tried using optional claims which are actually for the user authentication protocals. Optional claims only support user-based claims which means you cannot add appname .
    Since client credential flow does not support optional claims, I would recommend you check with claims mapping policy to achieve the end goal.

    Here are the steps you can follow:

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

    Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

    Get-InstalledModule Microsoft.Graph

    Import-Module Microsoft.Graph.Identity.SignIns

    Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration", "Policy.Read.All"

    New-MgPolicyClaimMappingPolicy -Definition @('{"ClaimsMappingPolicy"{"Version":1,"IncludeBasicClaimSet":"false"}}') -DisplayName "OmitBasicClaims"

    New-MgPolicyClaimMappingPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"employeeid","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid","JwtClaimType":"employeeid"},{"Source":"company","ID":"tenantcountry","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country","JwtClaimType":"country"}]}}') -DisplayName "ExtraClaimsExample"

    Here in the above command, you need to change the source as "Application" and ID "Appdisplayname".

    Now you can check the same policy and copy the policy ID: Get-MgPolicyClaimMappingPolicy

    To assign the policy to the service principal you will need the ObjectId of your claims mapping policy and the objectId of the service principal to which the policy must be assigned.
    New-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId <servicePrincipalId> -BodyParameter @{"@odata.id" = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/<claimsMappingPolicyId>"}
    Here is the Microsoft document which help you in getting in detailed explanation of the above policy configuration.
    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.