AzureAD OpenID Connect JWT "platf" claim value

Mike Borkenstein 1 Reputation point
2020-04-22T17:46:18.47+00:00

I am setting up an application that will use AzureAD as an OpenID Connect IDP for authentication. I want to know if the authenticating device is an AzureAD "managed" or "compliant" device at the application level by checking the returned JWT access token. There is an optional "platf" JWT claim that can be configured on the AzureAD SSO application dashboard and is described as "Restricted to managed devices that can verify device type". I enabled the claim and observed it is a number in the access JWT token returned by AzureAD. I assume it maps to an enum; however, I cant find any documentation about what status each integer indicates. Has anyone used this claim or know what it represents? Or perhaps a different method of determining if the authenticating device is AzureAD managed?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,606 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saurabh Sharma 23,751 Reputation points Microsoft Employee
    2020-04-23T00:59:02.88+00:00

    I am checking on this internally with the products team and update you with my findings.

    1 person found this answer helpful.
  2. Saurabh Sharma 23,751 Reputation points Microsoft Employee
    2020-08-27T19:18:47.153+00:00

    @Mike Borkenstein Sorry for the delay, we have received the confirmation this claim is for platform (internal) use only, and you should not take a dependency on it in your applications. We'll be removing it from the article, thanks for bringing this to our attention. Reference: GitHub issue