Microsoft Entra ID · Developer & Technical

Authentication Extensibility Administrator

Creates and manages custom authentication extensions to customize sign-in and sign-up experiences for users.

Scope: Manage custom authentication extensions for authentication flows

Permissions

  • Create custom authentication extensions
  • Manage authentication extension settings
  • Configure sign-in customizations
  • Manage sign-up extensions

Common use cases

  • Custom claim providers
  • Token enrichment
  • External attribute lookup
  • Custom authentication workflows

Best practices

  • Test extensions thoroughly
  • Implement proper error handling
  • Monitor extension performance
  • Secure extension endpoints

Security considerations

  • Extensions run in authentication flow
  • Can affect all sign-ins
  • Must be highly available

Common questions

When should I assign the Authentication Extensibility Administrator role?

Assign Authentication Extensibility Administrator when you need to: Custom claim providers; Token enrichment; External attribute lookup; and Custom authentication workflows. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Authentication Extensibility Administrator role do?

The Authentication Extensibility Administrator role grants permissions including: Create custom authentication extensions; Manage authentication extension settings; Configure sign-in customizations; and Manage sign-up extensions. See the Permissions section above for the full list.

What are the security risks of the Authentication Extensibility Administrator role?

Key considerations when assigning Authentication Extensibility Administrator: Extensions run in authentication flow; Can affect all sign-ins; and Must be highly available. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →