Skip to content
IAM Day by Day

Entra ID (Microsoft Entra ID) Custom Policies

The Sovereign Architect of Advanced Identity

Section titled “The Sovereign Architect of Advanced Identity”

Custom Policies (Identity Experience Framework - IEF) are the “Sovereign Architect” of the Microsoft Entra ID platform. While standard “User Flows” handle common scenarios, Custom Policies are designed for the most complex identity orchestration challenges—legacy protocols, multi-step identity verification, and deep integration with proprietary external systems. Using XML-based logic, an architect can define every millisecond of the identity journey, from the specific claims exchanged with a partner to the custom MFA logic required for a high-value transaction. For the IAM architect, Custom Policies represent the Absolute Frontier of Customization within the Microsoft cloud.

CUSTOM POLICIES

Architectural Sovereign
Core Mission
Advanced Identity Orchestration. Establishing a rigorous, XML-driven framework for defining complex authentication and authorization journeys that transcend the capabilities of standard cloud identity flows.
Like the Blueprints for a custom-built Spacecraft: A standard user flow is like a high-end commercial airplane (Microsoft Entra ID User Flows)—reliable, safe, but with fixed seats and routes. Custom Policies are the "Sovereign Blueprints" for your own specialized spacecraft. You define the exact engine specs (Technical Profiles), the life support systems (MFA Logic), and the navigation path (User Journeys). It's incredibly complex to build, but it can go places the commercial airplane could never reach—like landing on a proprietary moon (Legacy DB) or navigating through a protocol asteroid field (Custom Federation).
Complex B2B Federation / Identity Proving Integration / Legacy Protocol Bridging / Dynamic Branding Logic

The Custom Policy Infrastructure Matrix

Section titled “The Custom Policy Infrastructure Matrix”

Designing for custom policies requires mastering the hierarchy of the Identity Experience Framework.

Strategic Policy Pillars

Section titled “Strategic Policy Pillars”
PillarStrategic ResponsibilityIAM Implementation
Technical ProfilesThe Connection.Defining HOW to talk to a source—SAML, OIDC, REST API, or the local Entra DB.
User JourneysThe Path.Sequencing the steps a user takes (e.g. 1. Auth 2. Call API 3. Issue Token).
Claims TransformationsThe Logic.Modifying data in flight—e.g., converting an email to lowercase or concatenating string attributes.
Orchestration StepsThe Decision.A specific step in a journey that executes a Technical Profile based on conditional logic.

The IEF Policy Lifecycle

Section titled “The IEF Policy Lifecycle”

Building a custom policy follows a “Base-to-Extension” path to maintain manageable code.

graph TD
    Base[Base Policy: Standard] --> Extension[Extension Policy: Custom Logic]
    Extension --> Relying[Relying Party: App Specific]
1

Inheritance Mapping (The Base)

The journey starts with the **Starter Pack**. You define a "Base Policy" that contains the core technical profiles and claims definitions. This is the "Sovereign Foundation" that you rarely touch once it's established. It provides the standard OIDC and SAML connectivity parameters.

2

Extension Orchestration (The Customization)

You create an **Extension Policy** that "Herits" from the Base. This is where you inject your unique business logic. You might define a new "Technical Profile" that calls a **REST API** to check a user's loyalty status or a "Claims Transformation" to mask sensitive data before it's issued in the token.

3

Relying Party Definition (The Finality)

Finally, you create a **Relying Party (RP) Policy**. This is the file your application actually calls. It defines which claims are returned to the app and which "User Journey" should be executed. This modular design allows you to share complex logic across multiple apps while maintaining app-specific token output.

Technical Policy Implementation

Section titled “Technical Policy Implementation”

A simple Claims Transformation can automate complex data normalization within the identity flow.

Claims Transformation (XML Snippet)

Section titled “Claims Transformation (XML Snippet)”
<!-- Concatenating two claims to create a unique identifier -->
<ClaimsTransformation Id="CreateDisplayName" TransformationMethod="FormatStringMultipleClaims">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="givenName" TransformationClaimType="inputClaim1" />
    <InputClaim ClaimTypeReferenceId="surname" TransformationClaimType="inputClaim2" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringFormat" DataType="string" Value="{0} {1}" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="displayName" TransformationClaimType="outputClaim" />
  </OutputClaims>
</ClaimsTransformation>

Custom Policy Implementation Guides

Section titled “Custom Policy Implementation Guides”

Master the technical ceremonies of advanced Entra ID orchestration and XML policy design.

B2C Architecture

Using Custom Policies to build high-scale, branded customer identity journeys.

Adaptive AuthZ

Using IEF to enforce custom security policies that go beyond standard CA signals.

OIDC Handshakes

Designing the exact claims and identifiers returned in the ID and Access tokens via IEF.

IEF Debugging

Using App Insights and JWT analyzers to trace the execution of complex XML user journeys.

Next Steps

Section titled “Next Steps”