Azure AD token Issuer

Question

Azure AD token Issuer

Abhay Chandramouli 1,056

Hi

What is the difference between sts.windows.net login.microsoft.online issuers in token ?

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-05-16T11:25:07.2433333+00:00

@Abhay Chandramouli Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

2 answers

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-05-16T11:25:07.2433333+00:00

@Abhay Chandramouli Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Abhay Chandramouli ,

Thanks for reaching out.

The sts.windows.net and login.microsoftonline.com are both Security Token Services (STS) that issue tokens for Azure Active Directory (Azure AD). The sts.windows.net is the original STS for Azure AD v1, while login.microsoftonline.com is a newer STS that was introduced to support newer authentication protocols like OpenID Connect. Both issuers can issue tokens for Azure AD, but the tokens issued by login.microsoftonline.com are generally newer and support more features.

Both the sample tokens have been provided here - https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#token-formats

You can decode those tokens using jwt.ms and then compare the slightly varying claims of the tokens.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Abhay Chandramouli 1,056 Reputation points

2024-05-11T18:20:45.73+00:00

Hi Shweta,

Can you let us know the recommended one ? sts or login.microsoft ? Is there an end of life for the sts one ?

Also what additional features are there in the new one ? How does it impact systems using the sts one ?
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-05-13T08:32:57.9633333+00:00

Abhay Chandramouli

V1 authenticate Azure AD identities (work and school accounts) by requesting tokens from the Azure AD v1.0 endpoint, using Azure AD Authentication Library (ADAL), Azure portal, and Azure AD Graph API.

However, V2 authenticate a broader set of Microsoft identities (personal accounts as well) through what has been known as the Azure AD v2.0 endpoint, using Microsoft Authentication Library (MSAL), Azure portal, and Microsoft Graph API.

The recommended one is v2 endpoint.

V1 recommend ADAL client library which has not been supported now and all the applications has been asked to migrate to MSAL which supports V2 endpoint.

Reference - https://learn.microsoft.com/en-us/entra/identity-platform/msal-migration

Hope this will help.

Thanks,

Shweta
Mark Laing 0 Reputation points

2025-01-24T17:52:24.8533333+00:00

Hi @Shweta Mathur ,

I'm having trouble integrating Entra ID with my application. My application consists of a server and a client. The client uses a device flow to obtain an access token which it sends to the server for verification.

The server cannot verify the token because the token issuer is (iss claim in the token) https://sts.windows.net/<REDACTED>/, but the token was retrieved from thehttps://login.microsoftonline.com/<REDACTED>/v2.0 issuer.

I'm using an OpenID Connect certified library (https://github.com/zitadel/oidc) for this.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Azure AD token Issuer

2 answers

Your answer