Make sure that you have added the profile
scope, as "upn" requires the profile scope. You can add the profile scope under API Permissions (Type = delegated). https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
The type name is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
I assume you are using regular Azure AD, but if by some chance you are using B2C, the unique name is stored in the signInNames
attribute and upn
is not used.