Microsoft Entra ID · Developer & Technical
Authentication Extensibility Administrator
Creates and manages custom authentication extensions to customize sign-in and sign-up experiences for users.
Scope: Manage custom authentication extensions for authentication flows
Permissions
- Create custom authentication extensions
- Manage authentication extension settings
- Configure sign-in customizations
- Manage sign-up extensions
Common use cases
- Custom claim providers
- Token enrichment
- External attribute lookup
- Custom authentication workflows
Best practices
- Test extensions thoroughly
- Implement proper error handling
- Monitor extension performance
- Secure extension endpoints
Security considerations
- Extensions run in authentication flow
- Can affect all sign-ins
- Must be highly available
Common questions
When should I assign the Authentication Extensibility Administrator role?
Assign Authentication Extensibility Administrator when you need to: Custom claim providers; Token enrichment; External attribute lookup; and Custom authentication workflows. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Authentication Extensibility Administrator role do?
The Authentication Extensibility Administrator role grants permissions including: Create custom authentication extensions; Manage authentication extension settings; Configure sign-in customizations; and Manage sign-up extensions. See the Permissions section above for the full list.
What are the security risks of the Authentication Extensibility Administrator role?
Key considerations when assigning Authentication Extensibility Administrator: Extensions run in authentication flow; Can affect all sign-ins; and Must be highly available. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.