Microsoft Previews Azure Active Directory Custom Claims Providers -- Redmondmag.com

Microsoft Previews Azure Active Directory Custom Claims Providers

By Kurt Mackie
03/24/2023

Microsoft this week announced a preview of custom claims providers for Azure Active Directory users.

Custom claims providers let organizations map claims into a token via an API. Microsoft's example is an HR department needing to associate locally stored employee numbers with authentications.

The custom claims process happens after a user is authenticated by signing into an app or portal. In Microsoft's custom claims provider example for the HR department, the Lightweight Directory Access Protocol (LDAP) gets used with local Active Directory to return a user's employee number within the token. However, custom claims providers will work with "any data store, LDAP, SQL or anything else."

Organizations may want to set up custom claims providers if they need to keep sensitive info on premises. It's an alternative to using Microsoft's Active Directory Federation Services (ADFS) or "other federation services to pass through claims to Azure AD," the announcement explained.

Microsoft lately has tried to steer its customers away from using ADFS, a Windows Server role that Microsoft presently refers to as a "legacy system." ADFS authenticates with Azure AD using AD on premises, but it's complex to configure, and possibly subject to security issues. For instance, the "Nobelium" nation-state attackers partly leveraged ADFS to tap Exchange Online e-mails.

Another reason why organizations may want to use custom claims providers is being unable to synchronize attributes to Azure AD due to regulatory reasons. Organizations also may have "complex RBAC [role-based access control] models which are stored in external databases."

Microsoft showed off how the custom claims providers preview works in this video. It's Microsoft's "first use of a custom extension," but more are expected to be added to support further customizations of authentication flows.

Custom authentication extensions for Azure AD are currently at the preview stage, according to this Microsoft "Overview" document. The preview apparently was first released last summer.

Microsoft defined a custom claims provider as "a type of custom extension that calls a REST API to fetch claims from external systems," per its "Overview" document.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.