Share via

Issues with Token Format in Azure's Entra ID Service

marekPan 0 Reputation points
2023-12-18T10:42:47.9533333+00:00

I've integrated Microsoft Azure's Entra ID service into a client application for user authentication. However, I'm encountering an issue with the token format:

Current Behavior: The service is issuing tokens in version 1 format. The JWT claim 'iss' shows the value https://sts.windows.net/TENANT_ID/ instead of the expected https://login.microsoftonline.com/TENANT_ID/v2.0. This discrepancy is causing an inconsistency with the issuer URL in the OpenID configuration endpoint (.well-known).

Attempted Solution: Based on my understanding, modifying the accessTokenAcceptedVersion field in the app manifest from null to 2 should resolve this. I've made this change and waited for two days, but there has been no change in the token format.

Question: How can I adjust the configuration to ensure that oauth2 v2 endpoints issue the token in the correct format? Are there additional steps or settings in Azure that I need to consider?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 20,490 Reputation points Microsoft External Staff Moderator
    2023-12-19T13:16:28.18+00:00

    Hi @marekPan,

    Thank you for posting this in Microsoft Q&A.

    I understand that you have encountering an issue with the token format in Microsoft Azure's Entra ID service. you have attempted to modify the accessTokenAcceptedVersion field in the app manifest from null to 2, but the token format has not changed.

    Are you requesting a token for your own web API or Microsoft web-hosted resources such as Microsoft Graph?
    Unfortunately, we are unable to configure a Microsoft Graph on the service side because the Microsoft Graph app registration is officially managed by Microsoft.

    To fix this issue you have to call your own API, follow below steps:

    Expose delegated permissions:

    Go to your application -> Select Expose an API -> Select Add next to Application ID URI if you haven't yet configured one.

    Add scope then go to API permissions -> click Add a permission then select your scope which is created earlier and grant admin consent for that.

    While requesting token, pass scope parameter which you have created (e.g:api//applicationid/sample)

    For your reference: Expose delegated permissions:

    Protected web API: App registration

    If you are using client credential flow to get token need to Expose application permissions.

    For your reference :Expose application permissions

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.