Saving empty secret token causes the bearer token to change

Question

According to documentation here (https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups):

Microsoft Entra bearer token. If Secret Token field is left blank, Microsoft Entra ID includes an OAuth bearer token issued from Microsoft Entra ID with each request. Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token.

So, if we press the test connection button with these settings (an empty secret token) a full and correct bearer token is sent to our devtunnel:

eyJ0exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

However, once we hit save the secret token gets a single dot in it. Once we then retry our test connection, the bearer token has changed to contain almost no properties:

eyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Why does the bearer token change? We want the Provisioning to maintain the correct bearer tokens.

PS: After saving, trying provisioning on demand also sends the incorrect bearer token.

Answer 1

Hi @Lucas Weideveld ,

Thanks for reaching out.

As mentioned in the documentation, if Secret Token field is left blank, the bearer token is issued by Micrsoft Entra which is long lived.

While saving, its size has been reduced to make it compact for storing and transmitting the bearer token and handle by Microsoft Entra.

Could you please confirm if you are getting errors while using the Microsoft Entra issued token?

Thanks,

Shweta