Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Encrypting ID Token with Cryptographic Keys in the JwtIssuer Technical Profile of a Custom Policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 94%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL6%3C/text%3E%3C/svg%3E)
Learner-6009
20
Reputation points
Hi,
We are using Azure AD B2C custom policies and would like to know if it is possible to encrypt the ID token.
The documentation seems to indicate that only the refresh token can be encrypted, with no explicit mention of encrypting the ID token.
If it's possible to encrypt Id token as well could you please direct me to the relevant documentation /sample for this?
Additionally, is it possible to exclude the refresh token from the JwtIssuer, as we do not require it?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 89%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHE%3C/text%3E%3C/svg%3E)
Harshitha Eligeti 4,420 Reputation points Microsoft External Staff Moderator2024-12-23T22:42:18.0233333+00:00 Hi @ Learner-6009 •
Thank you for reaching out Microsoft Q&A.
I understand that you are using Azure AD B2C Custom Policies and would like to know if it is possible to encrypt the ID Token and exclude the refresh token from the JWT issuer.
Unfortunately, Azure AD B2C does not currently support direct encryption of the ID token. While Azure AD B2C uses JSON Web Tokens (JWTs) for the ID token, which can be both signed and encrypted, by default, Azure AD B2C only signs the ID token to ensure data integrity and authenticity but does not encrypt it. The ID token typically contains claims such as user identity information and other relevant data.
To implement encryption for the ID token, you would need to configure custom policies in Azure AD B2C. This allows you to modify and extend the default behavior of Azure AD B2C .
For additional information refer this links: Define an ID token hint technical profile in a custom policy - Azure AD B2C | Microsoft Learn
Overview of tokens - Azure Active Directory B2C | Microsoft LearnAzure AD B2C does not provide a direct configuration to exclude the refresh token from the Jwt Issuer. You can configure your custom policies accordingly to avoid issuing the refresh token if it's not required.
For additional information refer this link: azure ad b2c - Modify the JwtIssuer ClaimsProvider in the custom policy to remove the Refresh Token in AD B2C - Stack Overflow
Hope this helps. Do let us know if you have any further queries.
Regards,
Harshitha Eligeti. -
Harshitha Eligeti 4,420 Reputation points Microsoft External Staff Moderator
2024-12-24T21:00:59.09+00:00 Hi @ Learner-6009 •
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help. -
Harshitha Eligeti 4,420 Reputation points Microsoft External Staff Moderator
2024-12-30T03:45:10.6166667+00:00 Hi @ Learner-6009 •
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
Sign in to answer