In this article, we will see how to link an extension property to an identity (App Registration Client) in Entra ID. This mechanism can support multiple scenarios. In fact, I provide an example in the conclusion.
The process takes place in 3 steps:
In order to link an extension property to the App Registration Client, it is first necessary to create this property. This will be done in an App Registration Properties which will serve solely as a property dictionary.
For that purpose, we will use a (POST) call to the Graph API (for more information, see Microsoft’s documentation). The URL is as follows: https://graph.microsoft.com/v1.0/applications/{ObjectID}/extensionProperties
The “ObjectID” variable is the objectID of the App Registration Properties.
Here’s a sample payload for the request (“backend-id” will be the name of our property):
{
"name": "backend-id",
"dataType": "String",
"targetObjects": [
"Application"
]
}
To make this request, it is necessary, initially, to request a token using the following information:
It’s essential to understand that the identity associated with the provided ClientID/ClientSecret must have the following permissions regarding the Graph API:
To set the value of an extension property within an App Registration Client, it is possible to use the same type of API. However, for simplicity, we will instead go through modifying the manifest using the Azure portal.
For this, you need to access the desired App Registration Client. Then, in the ‘Manifest’ section, add at the end the following field and value:
“extension_{app reg properties id}_backend-id”: “MW”
“extension” is a fixed value. “{app reg properties id}” is the Application ID / Client ID of the App Registration Properties (containing the list of extension properties). “backend-id” is the name of the property. And “MW” is the value of our property.
The extension property is set in the App Registration Properties. The property value is entered in the App Registration Client. Now we can see how to read this type of information.
We will use an HTTP GET call to the Graph API to retrieve the desired value (see Microsoft documentation), using this URL:
https://graph.microsoft.com/v1.0/applications/{app reg client object id}?$select=extension_{app reg properties id}_backend-id
To retrieve the Object ID linked to the Client’s identity, a preliminary request to the Graph API is required (see Microsoft documentation). The ‘select’ part allows us to retrieve only the information that interests us.
Note: To make this request, it is necessary to have the following permissions:
We have seen how to manipulate extension properties in Entra ID using the Graph API.
This functionality can be useful in a number of scenarios. To give you an example, we used it in the context of propagating identity between APIM and an internal application. The goal was to ensure the Client’s identity for the internal application (in it’s repository).
