How do I configure App registration (for OIDC) to return "upn" and "roles" in the id-token and access-token?

Question

How do I configure App registration (for OIDC) to return "upn" and "roles" in the id-token and access-token?

Zambre, Akash 40

I have a app registration created for OIDC. Have configured Optional claims under "Token configuration" to include "upn" in ID and Access tokens.
Yet I don't see this "upn" claim in id-token. I see it in access-token but not in id-token.

Also, is there a way to get AzureAD roles in these tokens as roles claim?

Update

Hi folks,

Follow-up on this, I added "profile" scope, updated "Token Configuration" to include "preferred_username" in both ID and Access tokens. Also, added group claim to include group info in the tokens as "role" claim. With this, I get "preferred_username" and "role" claims in ID token. However, Access token doesn't have these claims, am I missing something here?

FYI - We are using this access token for OAuth 2.0 REST api calls later on with same configuration.

Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-05-07T14:19:55.3766667+00:00

Hi @Zambre, Akash,

Based on your query, here is my understanding: you would like to add optional claims to check the UPN in id token and would like to know how to get role claims.

As per your description, you are not receiving UPN in ID token. UPN has different names based on the endpoint version you are using to retrieve the token. ID token can be retrieved using v1 or v2 version tokens. unique_name: Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. This value isn't guaranteed to be unique within a tenant and should be used only for display purposes

preferred_username: The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since it's mutable, this value can't be used to make authorization decisions. It can be used for username hints and in human-readable UI as a username. The profile scope is required to receive this claim. Present only in v2.0.

Please take a look at the following document for more information: ID token claims reference

If you would like to retrieve app roles to your application, please follow this document: Add app roles to your application and receive them in the token.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Zambre, Akash 40 Reputation points

2025-05-07T17:15:08.5766667+00:00

I am using v2.0.
So I added a Optional Claim under "Token Configuration" to include "preferred_username" in both ID and Access token.
Still don't see any "preferred_username" claim in ID token here.
Btw, I see "upn", "unique_name" and other fields in Access token, but not in ID token. How can I add any of these claims to ID token?
We need anyone of these claims in ID token to set a username for the request.
I am only seeing these values in ID token -
aud, iss, iat, nbf, exp, nonce, rh, sub, tid, uti, ver
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-05-07T17:23:02.27+00:00

Hi @Zambre, Akash,

Could you please confirm you are using "Scope=Profile" to retrieve this information. If not please provide the scope as profile and check the scenario.
Zambre, Akash 40 Reputation points

2025-05-09T09:59:35.7166667+00:00

Hi folks,

Follow-up on this, I added "profile" scope, updated "Token Configuration" to include "preferred_username" in both ID and Access tokens. Also, added group claim to include group info in the tokens as "role" claim. With this, I get "preferred_username" and "role" claims in ID token. However, Access token doesn't have these claims, am I missing something here?

FYI - We are using this access token for OAuth 2.0 REST api calls later on with same configuration.

Accepted answer

0 additional answers

Your answer

Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-05-07T14:19:55.3766667+00:00

Hi @Zambre, Akash,

Based on your query, here is my understanding: you would like to add optional claims to check the UPN in id token and would like to know how to get role claims.

As per your description, you are not receiving UPN in ID token. UPN has different names based on the endpoint version you are using to retrieve the token. ID token can be retrieved using v1 or v2 version tokens. unique_name: Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. This value isn't guaranteed to be unique within a tenant and should be used only for display purposes

preferred_username: The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since it's mutable, this value can't be used to make authorization decisions. It can be used for username hints and in human-readable UI as a username. The profile scope is required to receive this claim. Present only in v2.0.

Please take a look at the following document for more information: ID token claims reference

If you would like to retrieve app roles to your application, please follow this document: Add app roles to your application and receive them in the token.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Zambre, Akash 40 Reputation points

2025-05-07T17:15:08.5766667+00:00

I am using v2.0.
So I added a Optional Claim under "Token Configuration" to include "preferred_username" in both ID and Access token.
Still don't see any "preferred_username" claim in ID token here.
Btw, I see "upn", "unique_name" and other fields in Access token, but not in ID token. How can I add any of these claims to ID token?
We need anyone of these claims in ID token to set a username for the request.
I am only seeing these values in ID token -
aud, iss, iat, nbf, exp, nonce, rh, sub, tid, uti, ver
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-05-07T17:23:02.27+00:00

Hi @Zambre, Akash,

Could you please confirm you are using "Scope=Profile" to retrieve this information. If not please provide the scope as profile and check the scenario.
Zambre, Akash 40 Reputation points

2025-05-09T09:59:35.7166667+00:00

Hi folks,

Follow-up on this, I added "profile" scope, updated "Token Configuration" to include "preferred_username" in both ID and Access tokens. Also, added group claim to include group info in the tokens as "role" claim. With this, I get "preferred_username" and "role" claims in ID token. However, Access token doesn't have these claims, am I missing something here?

FYI - We are using this access token for OAuth 2.0 REST api calls later on with same configuration.

Answer 1

Kancharla Saiteja 5,890 Microsoft External Staff Moderator

Hi @Zambre, Akash,

Based on your query, here is my understanding: you would like to add optional claims to check the UPN in id token and would like to know how to get role claims.

As per your description, you are not receiving UPN in ID token. UPN has different names based on the endpoint version you are using to retrieve the token. ID token can be retrieved using v1 or v2 version tokens. unique_name: Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. This value isn't guaranteed to be unique within a tenant and should be used only for display purposes

preferred_username: The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since it's mutable, this value can't be used to make authorization decisions. It can be used for username hints and in human-readable UI as a username. The profile scope is required to receive this claim. Present only in v2.0.

Please take a look at the following document for more information: ID token claims reference

If you would like to retrieve app roles to your application, please follow this document: Add app roles to your application and receive them in the token.These app roles we are talking here are assigned at app registrations but not the roles the user is assigned. While assigning a user to the application, it will provide you the options of roles created by you in App roles of the application only. In order to retrieve Microsoft Entra directory roles, you can configure the roles using the following document: Configure group claims and app roles in tokens.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

Zambre, Akash 40 Reputation points

2025-05-07T18:38:41.03+00:00

Thanks Saiteja, "profile" scope was missing. This solved getting the upn in the ID token claims issue.
Working on getting roles claim.
For app roles, will this app role present in every ID and Access token for this app registration?
We are looking for roles that would be per user or group membership.
For example, for same app registration, user1 will get say "Administrator" role and user2 will get "Support" role.
Zambre, Akash 40 Reputation points

2025-05-09T07:02:32.2766667+00:00

Hi folks,

Follow-up on this, I added "profile" scope, updated "Token Configuration" to include "preferred_username" in both ID and Access tokens. Also, added group claim to include group info in the tokens as "role" claim. With this, I get "preferred_username" and "role" claims in ID token. However, Access token doesn't have these claims, am I missing something here?

FYI - We are using this access token for OAuth 2.0 REST api calls later on with same configuration.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-05-09T12:55:25.1366667+00:00

Hi @Zambre, Akash,

When you are using REST API calls, I believe you are using Client Credential flow. In such case, application itself will perform the authentication which does not involve user here. In such scenario, you will not be receiving these claims when it is application context. If you are using any other protocol, kindly share me the protocol information and documents you are following to retrieve the token.
Zambre, Akash 40 Reputation points

2025-05-09T13:39:22.97+00:00

During OIDC login, we get ID, Access and refresh tokens. ID token is used for OIDC login and authorization.
We want to use this Access token as well, mainly for OAuth 2.0 REST api calls in similar fashion for authorization. So whatever claims we get in ID token, we want the same claims in this Access token as well.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-05-09T16:53:04.7633333+00:00

Hi @Zambre, Akash,

Thanks for the response,

OIDC mainly concentrates on the user details which provides you all the details of the user. While Oauth access token works on authorization with auth code to generate an access token based on the permissions available. Could you please configure Optional claims using the following document in order to get the required claims: v1.0 and v2.0 optional claims set. Make sure you select UPN as optional claim.

Please make sure to use authorization code flow, Resource Owner Password Credentials, implicit grant flow.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Zambre, Akash 40 Reputation points

2025-05-13T06:05:29.0666667+00:00

Hi, Saiteja, I started different thread for this question, to keep this clean.
Here - https://learn.microsoft.com/en-us/answers/questions/2265378/difference-in-id-token-and-access-token-for-oidc

Share via

How do I configure App registration (for OIDC) to return "upn" and "roles" in the id-token and access-token?

0 additional answers

Your answer