UPN field not present in claims during authentication with a single tenant app registration

Zak Thompson 1 Reputation point

I am currently working on a C# webapp that is uses single tenant authentication via OpenIdConnect to authenticate our webapp against Azure AD. The issue that I am encountering is that after authentication, the UPN field is not populated in the HttpContext User object.

The only claims fields that are provided to the hhtp context are the authmethodreferences, emailaddress, identityprovider, objectidentifier, nameidentifier, tenantid and name.

My next thought was to use the optional claims feature, documented here:

However, after following those instructions and trying id, access, and SAML to get the UPN field in, none of them ended up working.

Does anyone know what steps I will need to take in order to get the upn field to appear in a single tenant authentication request?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,209 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,187 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Frank Hu MSFT 81 Reputation points

    Hey, are you setting these optional claims up in the resource application object?

    Note that the resource is what defines what items will be returned not the application registration that has the client id that you're using to request and access token from. This is a common error that most people make as they make the modifications in the application registration object, not the resource object.

    You can will need to use either custom claims mapping, or optional claims.

  2. Schmidt, Roger 1 Reputation point


    Like Role & Zak I am also missing a full documentation, how to add additional claims (especially UPN) for integrated applications. I understand that you need to give permissions etc. for Graph API, but where to do this exactly?

    It would be great, if there is a step-by-step tutorial for this use case as I guess this is not a special case but quite common!


    0 comments No comments