Overview

In some scenarios, organizations may need to pass custom data about users like internal identifiers or sponsorship info to applications during SSO. Microsoft Entra ID supports this using directory extension attributes, which can be registered and referenced in claims.

This blog outlines how to register and use custom directory extension attributes in an Enterprise Application and configure them to issue claims conditionally based on group membership.

Step 1: Register Directory Extension Attributes

Use Graph Explorer to register two custom attributes, for example sponsorid1 and sponsorid2, in the target application.

Send a POST request to:
POST https://graph.microsoft.com/v1.0/applications/{AppObjectId}/extensionProperties

Request body example:
{
  "name": "sponsorid1",
  "dataType": "String",
  "targetObjects": ["User"]
}

Repeat the process for sponsorid2. After registration, the system will return the full attribute names in this format:

extension_<AppClientID>_sponsorid1
extension_<AppClientID>_sponsorid2

Note these exact names for future use.

Step 2: Assign Extension Attributes to Users

Use Graph Explorer again to PATCH user objects and assign values to these extension attributes.

Request URL:
PATCH https://graph.microsoft.com/v1.0/users/{UserObjectId}

Request body:
{
  "extension_<AppClientID>_sponsorid1": "ABC123"
}

Repeat this for each user, assigning the corresponding attribute (sponsorid1 or sponsorid2).

Step 3: Create Claims in Enterprise Application

Navigate to Entra ID > Enterprise Applications > [App Name] > Single Sign-On > Attributes & Claims.

1. Click Add new claim
2. Provide a name (e.g., sponsorClaim1)
3. Under Claim conditions, select Member and choose the group that should receive the claim
4. In the source attribute, use the directory extension attribute name (e.g., extension_<AppClientID>_sponsorid1)

Repeat for the second group and attribute.

Step 4: Handle Claim Mapping Error

If you see the error "Application requires custom signing key to customize claims"

You can temporarily bypass this by updating the app registration manifest:

"acceptMappedClaims": true

This allows claims customization without custom signing keys.

Step 5: Test the Configuration

Call the application using https://login.microsoftonline.com/(Tenant ID)/oauth2/v2.0/authorize?client_id=(Client ID) &response_type=id_token&redirect_uri=https://jwt.ms&scope=openid&state=12345&nonce=12345 and sign in with users who belong to the defined groups. You should see the expected custom claims (sponsorid1 or sponsorid2) issued in the SAML or OIDC token in https://jwt.ms. Users not in any of the groups will not receive any sponsor claim.

Conclusion

Directory extension attributes are a powerful way to issue dynamic claims in Microsoft Entra ID. By combining them with conditional claim issuance based on group membership, you can tailor your application's SSO experience to meet specific business logic.