CustomAuthenticationExtension.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to read or write your organization's custom authentication extensions without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write all custom authentication extensions
Allows the app to read or write your organization's custom authentication extensions without a signed-in user.
Permission ID:
c2667967-7050-4e7e-b059-4cbbb3811d03
Delegated Permission
Admin consent required
Read and write your organization's custom authentication extensions
Allows the app to read or write your organization's custom authentication extensions on behalf of the signed-in user.
User sees: Allows the app to read or write your organization's custom authentication extensions on your behalf.
Permission ID:
8dfcf82f-15d0-43b3-bc78-a958a13a5792
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
authenticationConfiguration |
customExtensionAuthenticationConfiguration |
The authentication configuration for the customAuthenticationExtension. Inherited from customCalloutExtension. |
behaviorOnError |
customExtensionBehaviorOnError |
The behaviour on error for the custom authentication extension. |
clientConfiguration |
customExtensionClientConfiguration |
The connection settings for the customAuthenticationExtension. Inherited from customCalloutExtension. |
description |
StringNullable |
The description of the customAuthenticationExtension. Inherited from customCalloutExtension. |
displayName |
StringNullable |
The display name for the customAuthenticationExtension. Inherited from customCalloutExtension. |
endpointConfiguration |
customExtensionEndpointConfiguration |
The HTTP endpoint that this custom extension calls. Inherited from customCalloutExtension. |
id |
String |
Identifier for the customAuthenticationExtension. Inherited from entity. |
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"@odata.type": "#microsoft.graph.customAuthenticationExtension",
"id": "String (identifier)",
"authenticationConfiguration": {
"@odata.type": "microsoft.graph.customExtensionAuthenticationConfiguration"
},
"clientConfiguration": {
"@odata.type": "microsoft.graph.customExtensionClientConfiguration"
},
"description": "String",
"displayName": "String",
"endpointConfiguration": {
"@odata.type": "microsoft.graph.customExtensionEndpointConfiguration"
},
"behaviorOnError": {
"@odata.type": "microsoft.graph.customExtensionBehaviorOnError"
}
}Relationships
Relationships metadata is not available for this permission mapping.
View resource documentationGraph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Create customAuthenticationExtension
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new OnTokenIssuanceStartCustomExtension
{
OdataType = "#microsoft.graph.onTokenIssuanceStartCustomExtension",
DisplayName = "onTokenIssuanceStartCustomExtension",
Description = "Fetch additional claims from custom user store",
EndpointConfiguration = new HttpRequestEndpoint
{
OdataType = "#microsoft.graph.httpRequestEndpoint",
TargetUrl = "https://authenticationeventsAPI.contoso.com",
},
AuthenticationConfiguration = new AzureAdTokenAuthentication
{
OdataType = "#microsoft.graph.azureAdTokenAuthentication",
ResourceId = "api://authenticationeventsAPI.contoso.com/a13d0fc1-04ab-4ede-b215-63de0174cbb4",
},
ClientConfiguration = new CustomExtensionClientConfiguration
{
TimeoutInMilliseconds = 2000,
MaximumRetries = 1,
},
ClaimsForTokenConfiguration = new List<OnTokenIssuanceStartReturnClaim>
{
new OnTokenIssuanceStartReturnClaim
{
ClaimIdInApiResponse = "DateOfBirth",
},
new OnTokenIssuanceStartReturnClaim
{
ClaimIdInApiResponse = "CustomRoles",
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.CustomAuthenticationExtensions.PostAsync(requestBody);
JavaScript
Create customAuthenticationExtension
const options = {
authProvider,
};
const client = Client.init(options);
const customAuthenticationExtension = {
'@odata.type': '#microsoft.graph.onTokenIssuanceStartCustomExtension',
displayName: 'onTokenIssuanceStartCustomExtension',
description: 'Fetch additional claims from custom user store',
endpointConfiguration: {
'@odata.type': '#microsoft.graph.httpRequestEndpoint',
targetUrl: 'https://authenticationeventsAPI.contoso.com'
},
authenticationConfiguration: {
'@odata.type': '#microsoft.graph.azureAdTokenAuthentication',
resourceId: 'api://authenticationeventsAPI.contoso.com/a13d0fc1-04ab-4ede-b215-63de0174cbb4'
},
clientConfiguration: {
timeoutInMilliseconds: 2000,
maximumRetries: 1
},
claimsForTokenConfiguration: [
{
claimIdInApiResponse: 'DateOfBirth'
},
{
claimIdInApiResponse: 'CustomRoles'
}
]
};
await client.api('/identity/customAuthenticationExtensions')
.post(customAuthenticationExtension);
PowerShell
Create customAuthenticationExtension
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
"@odata.type" = "#microsoft.graph.onTokenIssuanceStartCustomExtension"
displayName = "onTokenIssuanceStartCustomExtension"
description = "Fetch additional claims from custom user store"
endpointConfiguration = @{
"@odata.type" = "#microsoft.graph.httpRequestEndpoint"
targetUrl = "https://authenticationeventsAPI.contoso.com"
}
authenticationConfiguration = @{
"@odata.type" = "#microsoft.graph.azureAdTokenAuthentication"
resourceId = "api://authenticationeventsAPI.contoso.com/a13d0fc1-04ab-4ede-b215-63de0174cbb4"
}
clientConfiguration = @{
timeoutInMilliseconds = 2000
maximumRetries = 1
}
claimsForTokenConfiguration = @(
@{
claimIdInApiResponse = "DateOfBirth"
}
@{
claimIdInApiResponse = "CustomRoles"
}
)
}
New-MgIdentityCustomAuthenticationExtension -BodyParameter $params
Python
Create customAuthenticationExtension
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.on_token_issuance_start_custom_extension import OnTokenIssuanceStartCustomExtension
from msgraph.generated.models.http_request_endpoint import HttpRequestEndpoint
from msgraph.generated.models.azure_ad_token_authentication import AzureAdTokenAuthentication
from msgraph.generated.models.custom_extension_client_configuration import CustomExtensionClientConfiguration
from msgraph.generated.models.on_token_issuance_start_return_claim import OnTokenIssuanceStartReturnClaim
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = OnTokenIssuanceStartCustomExtension(
odata_type = "#microsoft.graph.onTokenIssuanceStartCustomExtension",
display_name = "onTokenIssuanceStartCustomExtension",
description = "Fetch additional claims from custom user store",
endpoint_configuration = HttpRequestEndpoint(
odata_type = "#microsoft.graph.httpRequestEndpoint",
target_url = "https://authenticationeventsAPI.contoso.com",
),
authentication_configuration = AzureAdTokenAuthentication(
odata_type = "#microsoft.graph.azureAdTokenAuthentication",
resource_id = "api://authenticationeventsAPI.contoso.com/a13d0fc1-04ab-4ede-b215-63de0174cbb4",
),
client_configuration = CustomExtensionClientConfiguration(
timeout_in_milliseconds = 2000,
maximum_retries = 1,
),
claims_for_token_configuration = [
OnTokenIssuanceStartReturnClaim(
claim_id_in_api_response = "DateOfBirth",
),
OnTokenIssuanceStartReturnClaim(
claim_id_in_api_response = "CustomRoles",
),
],
)
result = await graph_client.identity.custom_authentication_extensions.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for CustomAuthenticationExtension.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.