Dot in idToken.setCustomClaim is replaced with colon

I am trying to implement a custom post login action that writes the user principle name of an ad user to a claim in the id token with the name “”. The token is used with a 3rd party application that I cannot change and this application expects “” as claim name.

api.idToken.setCustomClaim('', user.userPrincipalName);

I have already configured legacy mode so that I can set custom claims that are not a url, but the dot in the claim name is replaced with a colon, so that the claim name in the id token ends up as “user:read”.

How can I set a claim named “”?

Hi there @m.raacke welcome to the community!

Interesting - While I only tested in a non-legacy tenant (namespaced claim with value), was never transformed to user:read like you are describing. I’ve opened up a ticket internally with to confirm the behavior you are seeing in a legacy context. I will certainly let you know here once I have more information myself!

Thanks for your patience :slight_smile:

Hello @tyf ,

how did you use a custom claim without a namespace in a non-legacy tenant? My understanding of the documentation was that I would have to switch to legacy to use custom claims without a namespace. That’s the only reason I was using legacy mode. In non-legacy, I don’t see the claim at all in my id token.


Sorry, I should’ve been more clear! I was just curious if we allowed the string ‘’ as a claim value in the non-legacy case or if we for whatever reason transformed it to ‘user:read’ there as well . I still had to set the actual claim to have a namespace. Something like:

api.idToken.setCustomClaim('', '');