Alternative claim value for idp from AAD V2 access token

Geethanjali 41 Reputation points Microsoft Vendor
2022-05-03T16:59:25.33+00:00

Have a question on the 1P token migration from V1 to V2 endpoint. Have created a test application with V2 version which has AAD and MSA users as audience and was able to generate token successfully. But I see that the idp (http://schemas.microsoft.com/identity/claims/identityprovider) claim is not available in the generated access token.
From the documentation Microsoft Identity Platform, I came to know that we can use the iss value instead of idp claim. But have below questions on the same.

  1. If a personal account (MSA) is used in AAD tenant, then usually we will be getting idp claim value as 'live.com'. For this scenario, if the idp claim is not available in the V2 access token, from where can I get this value?
  2. Per the current functionality, when we get the idp claim value ('live.com'), we also get the value of 'altsecid' claim. So, my question is Whether the 'altsecid' claim will be present in the token even when idp claim value is not present. If not, where can I get this value as well?
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,470 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,486 Reputation points
    2022-05-05T11:44:25.083+00:00

    Hi @Geethanjali • Thank you for reaching out. Please find my response inline.

    • If a personal account (MSA) is used in AAD tenant, then usually we will be getting idp claim value as 'live.com'. For this scenario, if the idp claim is not available in the V2 access token, from where can I get this value?

    The idp claim will always be present in the token issued to an External/Guest user authenticated via an Azure AD tenant regardless of whether the token version is 1 or 2. The idp claim contains the information about the home tenant of the guest user. E.g., if an MSA user is added as a guest user in tenant1, the token issued to the user by tenant1 will contain both iss and idp claims, where iss will be the tenant1 and idp will be live.com. If the user is a member of tenant1, the token won't include the idp claim. Below is a snippet of v2 token with idp claim for your reference.
    199149-image.png

    • Per the current functionality, when we get the idp claim value ('live.com'), we also get the value of 'altsecid' claim. So, my question is Whether the 'altsecid' claim will be present in the token even when idp claim value is not present. If not, where can I get this value as well?

    The altsecid attribute is also associated with External/Guest identities but it is not bound with the idp claim. That means you can get idp claim without altsecid claim as well. As per my testing, altsecid is issued only for the 1st party APIs. I didn't receive this claim in the token (both v1 and v2) for the custom app exposed as API. As this is a resticted claim, you cannot use claim mapping policy to add it as optional claim.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful