This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 36%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOP%3C/text%3E%3C/svg%3E)
All of our Entra External ID tenants are currently broken.
You have introduced a change that breaks the "iss" field from access token (or the .well-known/openid-configuration is wrong...). We are validating this field in our backend, and the field value does not match the value you give in the .well-known/openid-configuration endpoint.
Examples:
.well-known/openid-configuration endpoint value for iss: "https://login.microsoftonline.com/{tenant_id}/v2.0"
iss in access token: 'https://{tenant_id}.ciamlogin.com/{tenant_id}/v2.0'
This issue started occurring today in over 10 different tenants we manage.
Any timetable for a fix? Our customers cannot use our application currently because authorization won't work properly due to the above issue.
Thank you for posting your query on Microsoft Q&A, from above description I could understand that you had "https://login.microsoftonline.com/{tenant_id}/v2.0 configured as well known open ID issuer however the actual access token is coming from https://{tenantname}.ciamlogin.com/{tenantid}/v2.0.ciam.
Please do correct me if this is the case by responding in the comments.
As per Token endpoints and issuers
Microsoft Entra ID workforce tenants authenticate at login.microsoftonline.com with tokens issued by sts.windows.net. Workforce tenant tokens are generally interchangeable across tenants and multi-tenant applications so long as underlying trust relationships permit this interoperability. Microsoft Entra ID customer tenants use tenanted endpoints of the form {tenantname}.ciamlogin.com. Applications registered to customer tenants must be aware of this separation to receive and validate tokens correctly. Every Microsoft Entra ID tenant publishes a standards-compliant well-known metadata. This document contains information about the issuer name, the authentication and authorization endpoints, supported scopes and claims. For customer tenants, the document is publicly available at: https://{tenantname}.ciamlogin.com/{tenantid}/v2.0/.well-known/openid-configuration. This endpoint returns an issuer value https://{tenantname}.ciamlogin.com/{tenantid}/v2.0.ciam.
So, the suggestion here would be to have your application configured for authority as:
"Authority": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/",
Thanks,
Akshay Kaushik
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
I will try this out. Azure Portal Entra app registrations endpoint view returns the format "https://login.microsoftonline.com/{tenant_id}/v2.0". This is confusing since that endpoint has been working fine for several months.
We fetch the token (SPA app) with MSAL and use the https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/ endpoint. We did not change anything in our code when this issue occurred yesterday, so the iss claim value inside the token must have changed.
Your documentation is incorrect. The openid-configuration endpoint (https://{tenantname}.ciamlogin.com/{tenantid}/v2.0/.well-known/openid-configuration) returns the issuer in the following format (both values are tenantid's, there's no tenant name and the URL ending is different):
https://{tenant_id}.ciamlogin.com/{tenant_id}/v2.0
but your documentation states:
https://{tenantname}.ciamlogin.com/{tenantid}/v2.0.ciam.
Now I'm even more confused. I hope that you will not make any silent changes to this again since then our auth will be broken yet again since we are now transitioning to that https://{tenantname}.ciamlogin.com/{tenantid}/v2.0/.well-known/openid-configuration endpoint which returns the correct issuer that matches the token iss claim.
And in case someone is struggling with the same mess, this URL works as well for fetching the config: https://{tenant_id}.ciamlogin.com/{tenant_id}/v2.0/.well-known/openid-configuration"
And how do you expect I would be able to know this all if you updated your docs a week ago with the text snippet you posted? https://github.com/MicrosoftDocs/entra-docs/commit/f14a71241994cdc83e66dfef413c560889299a83
I understand your frustration and thank you for the feedback.
Microsoft Entra External ID is currently in preview. See the Universal License Terms for Online Services for legal terms that apply to Azure features and services that are in beta, preview, or otherwise not generally available. So, changes are intended to happen until this feature comes out of preview.
However there are no further plans to change the endpoint as of now. For any new major changes, you may follow Microsoft Entra External ID: What's new
Thanks,
Akshay Kaushik
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
I understand that the External ID is in preview, but it would help to adopt it if you publish proper release notes and breaking changes given that you recommend the External ID for new products: https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam#about-azure-ad-b2c
Opt for the next generation Microsoft Entra External ID platform if:
You’re starting fresh building identities into apps or you're in the early stages of product discovery.
The benefits of rapid innovation, new features and capabilities are a priority.
Thanks for the inputs, I will try to pass on the feedback with my resources. However, there are no further plans to change the endpoint as of now. For any new major changes, you may follow Microsoft Entra External ID: What's new
Thanks,
Akshay Kaushik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 54%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA0%3C/text%3E%3C/svg%3E)
I would like to discuss a recent change I've noticed involving the CIAM concept. It appears that the onboarded feature has shifted from 'https://login.microsoftonline.com/tenant-id/v2.0' to 'https://tenant-id.ciamlogin.com/tenant-id/v2.0', using 'https://constco.ciamlogin.com/constco.onmicrosoft.com/' as the authority, where 'constco' is my primary domain name. The 'iss' claim in the access token now always displays as 'https://tenant-id.ciamlogin.com/tenant-id/v2.0' with the mentioned authority. From my understanding, this change in the 'iss' claim is by design for CIAM tenants. This information, including samples for the CIAM tenant, is defined in the link below:
https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/tree/main
It is important for those utilizing the CIAM tenant to adjust their 'iss' claim value as per the design's requirement.