How to get Keycloak identity broker to display role claims in ID token from Entra ID / Azure identity Provider


I’m using Keycloak as an identity provider for an OIDC app configured on Entra ID, the Identity Provider.

I’m trying to retrieve a claim (“roles”) from the ID token returned from Entra ID to Keycloak.

Here is what the roles claim looks like on the ID token returned from Entra:

“roles”: [

I was thinking the “Claim to Role” mapper, mapped to a role named guest_role that I created on Keycloak, might work. I set the Claim key to “roles” and the value to “my_guest_role”.

However, the role doesn’t show up on the id token returned from Keycloak. I also had no luck with the “Advanced Claim to Role”.

I also tried the “Attribute Importer”. For that, I mapped a country claim of “US” to a User Attribute value of “country”. That was another claim present on the Entra ID token. Again, there was no change on the Keycloak token.

I got one thing to change on the Keycloak id token. This was done by mapping a claim of “ipadr” from the Entra Id token to an attribute of “ipadr” within Keycloak. That caused a “preferred_username” attribute with my ip address to appear in the Keycloak token.

I think these values are being found, because the Keycloak console log isn’t displaying an “unable to find role” or “unable to find group” as it is for some of my earlier tests. So it’s just a question of figuring out how to let Keycloak add the found role to the token.

To try to to do that, I created a scope to allow allow all claims to be included in the ID Token under scopes for the broker provider:

Name: claimsParameterMapper
Category: Token mapper
Type: Claims parameter with value ID Token

But still no luck.

I’m a bit at a loss at this point. Could someone provide some insight on how to do this?