Hi @Jens Popp • Thank you for reaching out.
As of now, Azure AD doesn't support multiple audiences in a single token. There is no tweak or workaround currently available for this purpose as well.
Our product team is investigating using dpop
, a proof of possession scheme, to securely support multi-audience tokens that are sender constrained. At this time though, the unbound multi-audience tokens are considered a security threat, which is why it is not supported. Multi-audience bearer tokens can be replayed from one audience to the other insecurely, allowing an attacker who compromises one service to expand their footprint unnecessarily.
So, to use Azure AD as IDP for multiple backend applications, separate app registrations are required to be done in Azure AD for each backend application and then configure every backend application to use its own app registered in Azure AD.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.