Getting the V1.0 token for access token (but getting v2.0 token for id token) - Azure AD - B2B

Mathew James 26 Reputation points
2021-03-22T13:29:23.527+00:00

Scenario:-

  1. Created an App registration. Exposed permission for Graph API with scopes ["openid", "profile", "offline_access", "User.Read"].
  2. In the Authentication blade I have configured SPA (and not Web). I have changed accessTokenAcceptedVersion = 2 (instead of null).
  3. I have a React app utilizing Azure AD authentication using MSAL.js 2.0 against this Client ID and tenant ID. Passing the same scopes from React App (in MSAL JS Authcofig) ["openid", "profile", "offline_access", "User.Read"].
  4. After successful sign in, in the access token I always get token version as 1.0 and issuer as sts.windows.net. (it also says invalid signature when pasted in jwt.io). Also we get the scopes as ["openid", "profile", "email", "User.Read"].
  5. its not matching with what we passed. No idea how "email" is added and "offline_access" is deleted.
  6. For Id token - the issuer is https://login.microsoftonline.com/{my-tenant-id}/v2.0 and token version is v2.0
  7. We are calling https://login.microsoftonline.com/{my-tenant-id}/v2.0/.well-known/openid-configuration

Please help me and let me know why I am not getting v2.0 tokens for access token.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,662 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,660 questions