From 7154513035cb5da4fe4971484efd5646581c9d3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Wojtanowski?= <97908331+lwojtanowski@users.noreply.github.com> Date: Fri, 12 Sep 2025 21:32:00 +0200 Subject: [PATCH] Update claims mapping policy instructions in documentation --- .../custom-extension-tokenissuancestart-configuration.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/identity-platform/custom-extension-tokenissuancestart-configuration.md b/docs/identity-platform/custom-extension-tokenissuancestart-configuration.md index 361febc1428..37ed4d33fc4 100644 --- a/docs/identity-platform/custom-extension-tokenissuancestart-configuration.md +++ b/docs/identity-platform/custom-extension-tokenissuancestart-configuration.md @@ -214,9 +214,9 @@ The **jwt.ms** test application uses the implicit flow. Enable implicit flow in A claims mapping policy is used to select which attributes returned from the custom authentication extension are mapped into the token. To allow tokens to be augmented, you must explicitly enable the application registration to accept mapped claims: 1. In your *My Test application* registration, under **Manage**, select **Manifest**. -1. In the manifest, locate the `acceptMappedClaims` attribute, and set the value to `true`. -1. Set the `requestedAccessTokenVersion` to `2`. -1. Select **Save** to save the changes. +2. In the manifest, locate the `acceptMappedClaims` attribute under `api` object, and set the value to `true`. +3. Set the `requestedAccessTokenVersion` to `2`. +4. Select **Save** to save the changes. The following JSON snippet demonstrates how to configure these properties. @@ -229,6 +229,9 @@ The following JSON snippet demonstrates how to configure these properties. } ``` +> [!IMPORTANT] +> Until **AAD Graph App Manifest (Deprecating Soon)** is supported, you should also set `acceptMappedClaims` and `requestedAccessTokenVersion` in root object for this manifest kind. To know more go to [App manifest](https://learn.microsoft.com/en-us/entra/identity-platform/reference-microsoft-graph-app-manifest) + > [!WARNING] > Do not set `acceptMappedClaims` property to `true` for multitenant apps, which can allow malicious actors to create claims-mapping policies for your app. Instead [configure a custom signing key](/graph/application-saml-sso-configure-api#option-2-create-a-custom-signing-certificate).