Share via

Email claim is not being sent in ID token when Entra ID app is added to another tenant.

Matthew Carr 5 Reputation points
2024-01-25T18:36:06.9233333+00:00

I'm a developer migrating an application from IdentityServer4 to Entra ID. I successfully setup an app registration for the app's frontend and backend in my organization's Entra ID tenant (domain: relativityx.com). I'm able to sign-in to the app using my relativityx.com credentials, and the email claim, which I configured to be sent in the id_token, is present.

I then updated the application to allow sign-ins from other tenants, following the Entra ID documentation. Using my admin account, I was able to successfully consent to the application in my personal Entra ID tenant (domain: mdcarr941live.onmicrosoft.com), and I found that service principal's for the frontend and backend were successfully created in my tenant (i.e. visible under "Enterprise applications"). However, I found that the email claim was not being sent to the application in the id_token.

As a troubleshooting step, I used the MS Graph API to verify that the JSON representation of the service principals from the two tenants are identical, except for their object IDs and creation times.

Why might the email claim not be included in the id_token when signing in from the other tenant?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Matthew Carr 5 Reputation points
    2024-01-25T22:48:56.6533333+00:00

    The issue was caused by the fact that my user account in my personal Entra ID tenant did not have an email address configured. I hadn't run into this in my organization's tenant because it has an exchange online license, so an email address was added to my user on creation. It makes sense now, but it was definitely a sharp edge to get caught on. After all, every user account signs in with what is, syntactically, an email address, but there is actually a separate email field which needs to be populated.

    1 person found this answer helpful.
  2. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2024-01-29T07:10:55.0266667+00:00

    @Matthew Carr
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Unable to get "email" claim when an app is added as multitenant in a different tenant.

    Solution: The user in impacted Entra ID tenant did not have an email address proptery set which resulted in the exclusion from the ID token, even though ID token has "email" as a default claim. If you have any other questions or are still running into more issues, please let me know.
    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,

    Akshay Kaushik

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.