Hi @Tony Mee
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue:
How can I include an email claim in an Open ID token for the managed account in Entra ID?
Solution:
Resolved by @Tony Mee
Cause for this issue:
According to the document https://learn.microsoft.com/en-us/entra/identity-platform/migrate-off-email-claim-authorization?source=recommendations, mutable claims such as email in tokens can be insecure if they are mistakenly used as a unique identifier for an account. To avoid unexpected security incidents, Microsoft has changed the default to not include such claims in tokens as of June 2023. With this change, email claims are no longer included in ID tokens unless they are verified by the domain owner.
An email is considered domain owner verified if:
- The domain belongs to the tenant where the user account resides and the tenant administrator has verified the domain
- The email is from a Microsoft account (MSA)
- The email is from a Google account
- The email was used to authenticate using the one-time passcode (OTP) flow
As previously reported, the email address of an Outlook.com personal account was included in the ID token. I believe this is because the Outlook.com address is from a Microsoft account.
The document also states that the above change in default behavior only applies to multi-tenant applications, which proves that I did not encounter the issue of missing email claim in a single-tenant application.
The solution is detailed in the following documentation:
https://learn.microsoft.com/en-us/graph/applications-authenticationbehaviors
You can change the default behavior so that the email claim is included in the ID token even if it is not considered domain owner verified by updating the authenticationBehaviors
property of your application and setting removeUnverifiedEmailClaim
to false.
This completely solved my problem. Now I can include the email of my managed account in the ID token. Of course, this solution is not desirable from a security perspective, so anyone should be very careful when implementing it.
Note: Of course, this solution is not desirable from a security perspective, so anyone should be very careful when implementing it.
If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information. Thank you again for your time and patience throughout this issue.
Thanks,
Navya.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.