Share via

Custom attributes are not showing up in ID token

Alex 20 Reputation points
2026-06-12T01:55:28.37+00:00

I have a custom application integrated with Microsoft Entra External ID using OpenID Connect. I created a few custom user attributes and can see the values populated for users, but when I sign in and check the ID token, those attributes are not present.

Is there any additional configuration required to include custom attributes as claims in the ID token? Do I need to modify the user flow or application settings?

Has anyone implemented this successfully? Any guidance would be appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments

Answer accepted by question author

VEMULA SRISAI 13,315 Reputation points Microsoft External Staff Moderator
2026-06-12T02:35:42.16+00:00

Hello Alex,

This behavior is expected in Microsoft Entra External ID.

Custom user attributes are not automatically included in the ID token, even if the values are populated in the user profile. They must be explicitly configured as token claims.

To resolve this, please validate the following:

Ensure the custom attribute is added in your user flow (User flows → select flow → User attributes).

Navigate to App registrations → your application → Single sign-on → Attributes & Claims, and add a new claim:

  • Source: Directory schema extension
    • Select the b2c-extensions-app Update the application manifest and set: JSON "acceptMappedClaims": true Show more lines

Additionally, confirm that the custom attribute has a non-null value for the user, as attributes with no value are not emitted in the token.

Once these changes are completed, perform a fresh sign-in and validate the ID token (for example, using jwt.ms).

If the issue still persists, please share your current configuration (user flow and claim mapping), and we can help review it further.

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-12T01:55:43.61+00:00

    Yes, additional configuration is required. Custom attributes do not appear in the ID token automatically, even if they are populated on the user object.

    To have custom attributes show up as claims in the ID token for a Microsoft Entra External ID (customer) app, configure both the user flow and the application/enterprise app as follows:

    1. Ensure the custom attributes are defined and collected
      • Define the custom attributes in the external tenant so they are available as user flow attributes.
      • In the sign-up/sign-in user flow, add these custom attributes to the User attributes section so they are collected and stored on the user profile.
      • Custom attributes are stored as directory extension attributes in the b2c-extensions-app and are exposed with the naming convention: extension_{appId-without-hyphens}_{custom-attribute-name}.
    2. Add the custom attributes as claims in the token
      • In the Microsoft Entra admin center, go to Entra IDApp registrations and select the application.
      • In Essentials, under Managed application in local directory, select the linked enterprise application.
      • Under Manage, select Single sign-on.
      • In Attributes & Claims, select Edit.
      • Select Add new claim.
      • Enter a Name for the claim (this is the claim name that will appear in the token).
      • For Source, select Directory schema extension.
      • In Select Application, choose b2c-extensions-app.
      • In Add Extension Attributes, select the desired custom attribute(s) and then Add.
      • Save the changes.
    3. Update the application manifest to accept mapped claims
      • In App registrations, open the application and go to Manifest.
      • Set acceptMappedClaims to true.
      • Set isFallbackPublicClient to true (per the documented configuration for mapped claims).
      • Save the manifest.

    After these steps, when a user signs in via the configured user flow, the selected custom attributes will be emitted as claims in the ID token, using the claim names configured in Attributes & Claims.

    If attributes are sourced from an external system at sign-in time (for example via a REST API), use a custom claims provider or API connector and then map those returned attributes into token claims via claims mapping policies or the user flow’s Application claims configuration.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.