Share via

Microsoft Entra External ID – email claim not included in ID token from User Flow

Alexandre Giuseppe 61 Reputation points
2026-05-15T20:31:47.7566667+00:00

I am using Microsoft Entra External ID (customer tenant) and I am unable to get the email claim in the ID token returned by a User Flow.

Problem

The ID token does not contain the email claim.

This happens for both:

  • Local accounts (Email with password)
  • Google social accounts

In both cases, the user profile clearly contains a valid email address.

App Registration Configuration

I created a new app registration with the following settings:

Authentication

  • Redirect URI: https://jwt.ms
  • Enabled: ID tokens (used for implicit and hybrid flows)

Token Configuration

  • Added all available optional claims for ID tokens, including email

API Permissions

Microsoft Graph delegated permissions:

  • openid
  • profile
  • email
  • User.Read

User Flow Configuration

I created a sign-up/sign-in User Flow with these identity providers:

  • Email with password
  • Google

Authorization Request

I launch the User Flow with the following request:

https://<directory>.ciamlogin.com/<tenant-id>/oauth2/v2.0/authorize
?client_id=<client-id>
&nonce=<nonce>
&redirect_uri=https%3A%2F%2Fjwt.ms
&scope=openid%20profile%20email
&response_type=id_token
&prompt=login

Expected Result

The returned ID token should include:

"email": "user@example.com"

Actual Result

The ID token does not contain the email claim.

Question

What additional configuration is required to have the email claim included in the ID token returned by a User Flow in Microsoft Entra External ID?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

Answer accepted by question author

  1. RoryB 620 Reputation points
    2026-05-16T03:26:59.55+00:00

    You seem to have done almost everything right.

    Checklist for anyone reading this:

    • User / edit properties / all - check email address exists
    • Scope in the request includes email
    • App registration attached to user flow - token configuration - optional claims - token type ID - add email
    • App registration - API permissions - Microsoft Graph - delegated - email, profile and User.Read and Grant admin. consent
    • Enterprise application - single sign on - attributes and claims - add user.mail

    When I do all that, I see the email address in the JWT.

    Some of it may not be necessary, but this works.

    Was this answer helpful?

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-05-15T20:32:08.95+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The email claim is required but isn’t automatically emitted; it must be explicitly configured on the identity provider side and mapped in the External ID federation settings.

    To have email included in the ID token from a Microsoft Entra External ID user flow, configure both of the following:

    1. Ensure the upstream IdP issues the email claim
      • For Microsoft Entra ID (when used as an external OIDC IdP), add email as an optional claim in Token configuration of the app registration in the IdP tenant.
      • The FAQ explicitly states that for External ID federation scenarios, the email claim must be present in the token from the external OIDC IdP:
        • “The email claim is required for External ID federation scenarios. Make sure the email claim is included in the application's Token configuration in the Microsoft Entra ID tenant used as the external identity provider.”
    2. Configure claims mapping in the External ID OIDC federation
      • In the External ID tenant, when configuring the custom OIDC identity provider, ensure the Claims mapping section is set so that:
        • Email (required) is mapped to the upstream provider’s email claim.
      • The documented federation settings list Email (required) as a mandatory mapping:
        • “To configure OpenID Connect federation with your identity provider in Microsoft Entra External ID, you need… Claims mapping… Email (required).”

    For Azure AD B2C (or similar) acting as the upstream IdP, if the external tenant expects email, ensure the custom policy outputs email as a claim, for example by adding:

    <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email"/>

    under <OutputClaims> in the policy. This guarantees the email address is issued as a claim to Microsoft Entra ID after authentication.

    Once the upstream IdP issues email and the External ID OIDC federation has Email (required) correctly mapped, the user flow ID token will include the email claim when requested with scope=openid profile email.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.