How do I get custom attribute values into entra external Id flows in angular?

Question

How do I get custom attribute values into entra external Id flows in angular?

Simone Jennings 0

I'm setting up a signin/signup flow in Entra External Id and I have custom attributes for "organisationId" and "invitationCode" that I want to send from my angular app and have accessible in my Custom Authentication Extensions (on start and on submit) so I can use them to block signups that aren't accepted or connect Entra External Ids to my own database.
I can see the custom attributes in the payload for the attribute collection on start call as they're connected to the flow and they calls are connected to the flow too, however they are always null.

I'm using MSAL for angular to start the flows and I've tried sending the values in extraQueryParameters as values in the dictionary, they appear to show up in the url its redirected to, but not in the extension calls no matter if I use email password OR sso that I have set up.

How do I get these values through to the custom authentication extensions? Without this information these extension calls become somewhat useless to me.

The code I'm using to start the flow where customParameters contain invitationCode and organisationId values


        this.msalService.loginRedirect({
			scopes: ['user.read','openid', 'profile', 'email', 'offline_access'],
			extraQueryParameters: customParameters,
			prompt:'create',
			domainHint: domainHint,
			correlationId:"12345"
		});

and how these attributes come through to the extension calls:

"extension_{app_Id}_invitationCode":{"value":null,"@odata.type":"microsoft.graph.stringDirectoryAttributeValue","attributeType":"directorySchemaExtension"},

"extension_{app_Id}_organisationId":{"value":null,"@odata.type":"microsoft.graph.int64DirectoryAttributeValue","attributeType":"directorySchemaExtension"},

Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-19T05:08:57.4066667+00:00

Hi @Simone Jennings,

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-20T08:17:06.8366667+00:00

Hi @Simone Jennings,

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-19T05:08:57.4066667+00:00

Hi @Simone Jennings,

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-20T08:17:06.8366667+00:00

Hi @Simone Jennings,

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Praveen Chivarla 105 Microsoft External Staff Moderator

Hi @Simone Jennings,

Thank you for posting your query on Microsoft Q&A.

As per our understanding, you are trying to pass custom values like organisationId and invitationCode from your Angular app into your Entra External ID user flow using MSAL’s extraQueryParameters. While these values appear in the browser's URL, they are showing up as null in your custom API connector calls on both onStart and onSubmit.

To send custom attribute values (like organisationId and invitationCode) from your Angular app into Microsoft Entra External ID user flows using MSAL, and have them show up in your API connectors.

Please follow the steps below:

1**. Register Custom Attributes in Microsoft Entra**

Go to Entra ID > External Identities > User attributes.
Click Add to create each custom attribute:
- invitationCode
  - organisationId
  - Save your changes.

Custom attributes are stored in the format

extension_<appId>_attributename

where <appId> is the Application (client) ID of the "aad-extensions-app" registration in your tenant. learn.microsoft

Add Custom Attributes to the User Flow

Go to Entra ID > External Identities > User flows.
Pick your flow (sign-in/sign-up).
Under User attributes, click + Add and select both invitationCode and organisationId.
Set them as optional if you wish users not to be blocked if they’re missing.
Save the flow. learn.microsoft

Pass Custom Attributes to the API Connector

Still within your user flow, visit API connectors.
For either the On start or On submit steps:
- Select your API connector.
  - Under Send claims to your API, click + Add claims and check invitationCode and organisationId.
    - In Advanced or Pass through, toggle Pass query string parameters to Yes—this ensures query parameters from the URL are sent through to your API.
      - Save settings.
Repeat for each authentication step where you need these values. learn.microsoft

Update Your Angular (MSAL) Integration

When using MSAL in Angular, add custom parameters as extraQueryParameters in your loginRedirect or loginPopup call:

javascript

this.msalService.loginRedirect({

scopes: ['openid', 'profile', 'email', 'offline_access'],

extraQueryParameters: {

invitationCode: 'YOUR_INVITATION_CODE',

organisationId: 'YOUR_ORG_ID'

},

prompt: 'create'

});

The parameter keys (invitationCode, organisationId) must exactly match those registered as custom attributes and added to the user flow.learn.microsoft.

Simone Jennings 0 Reputation points

2025-08-20T08:23:40.0733333+00:00

Hi Praveen,

Thanks for your answer.

Unfortunately most of the things you listed in your answer were already done or attempted.

Number 3 you listed isn't actually possible to do in Entra External Id, the "Custom authentication extensions" - not "API connectors" - have no options settable for claims. Potentially you are thinking of Azure B2C or Entra Workplace? This is specifically the new product External Id.
Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-21T05:23:14.0166667+00:00
Hi Simone Jennings,

Thank you for the response. Currently, Microsoft Entra External ID does not support passing custom attribute values directly from your application (Angular, MSAL, or any SPA) through extra query parameters into Custom Authentication Extension payloads. This is a documented limitation of the new Entra External ID product

Custom parameters placed in the URL with extraQueryParameters are visible in the browser redirect but are not mapped into the Entra user attribute collection or the event payload received by custom authentication extensions.

There is no supported method to configure the flow or extension to automatically populate custom attribute fields (“invitationCode”, “organisationId”, etc.) with values sent from your frontend—these values will remain null unless provided interactively by the user in the native Entra step of the flow.

The extension event payload only contains attributes collected by the built-in Entra user attribute collection UI, or potentially pre-filled server-side via backend logic (not via web app query parameters).

Please try below steps:

Ensure your custom attributes (like invitationCode, organisationId) are part of your user flow’s UI, and prompt users to enter them manually.

If you want to "connect" a frontend session value or invitation code to the Entra flow, you must use a different approach:

Instead of passing custom attribute values directly, pass a public session or reference ID (as a query parameter or state value) into Entra.

In your extension’s backend logic, lookup or retrieve information related to that ID from your own database or system when the extension event fires.

This pattern allows you to enforce custom business logic (such as access gates or attribute mapping) on the extension backend, even though Entra External ID cannot pass arbitrary custom parameter values for you.

Please refer to:

Custom authentication extensions - Microsoft Entra External IDlearn.microsoft

Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.
Simone Jennings 0 Reputation points

2025-08-21T06:17:35.1666667+00:00

Hi Praveen,

I'm not sure I understand, you have mentioned an alternative method is to "Instead of passing custom attribute values directly, pass a public session or reference ID (as a query parameter or state value) into Entra." yet why would a query parameter or state value be able to be passed when custom attributes aren't able to be passed?
Are you able to give me an example of how to do this?

The documentation I have read thoroughly and it does not answer the question.

I'm not sure what the point of OnAttributeCollectionStart is if I can't get any details into it whatsoever.

Thanks.
Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-25T11:07:12.0733333+00:00
Hi @Simone Jennings,

Thank you for your follow-up.

The reason passing a simple reference ID (like a session or invitation token) via query parameters or the OAuth state works, while passing detailed custom attribute values does not, is due to platform limitations in how Microsoft Entra External ID handles user flow inputs and extension payloads.

Microsoft Entra External ID currently does not map arbitrary custom query parameters into the user attribute collection or the payload your custom authentication extension receives. This is a built-in platform behavior.

However, the OAuth state parameter or URL query parameters are preserved as-is during the flow redirection and are accessible from the HTTP context/event your extension backend processes.

This means your extension can read a single token or reference ID from the incoming request but cannot read multiple separate custom attributes passed as query parameters because those are not injected into the payload automatically.

To implement it practically:

Pass only one meaningful identifier (e.g., sessionId, invitationToken) in your Angular app when starting the flow.

In your extension backend, read this identifier directly from the HTTP request context or the workflow event’s parameters.

Use that identifier to retrieve associated attribute values from your own database or service.

Apply your business logic or pre-fill user attributes based on that lookup.

This approach leverages the supported mechanics of the protocol and Entra External ID’s architecture, without relying on unsupported custom attribute injections from the client side.

If you need help with example code snippets or configuration to read this reference ID in your extension’s OnAttributeCollectionStart event, I can provide that to guide you further.
Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-26T10:28:58.51+00:00

Hi @Simone Jennings,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator

2025-08-27T10:52:32.55+00:00

Hi @Simone Jennings,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

How do I get custom attribute values into entra external Id flows in angular?

1 answer

Your answer