Hi @Geethanjali • Thank you for reaching out. Please find my response inline.
- If a personal account (MSA) is used in AAD tenant, then usually we will be getting idp claim value as 'live.com'. For this scenario, if the idp claim is not available in the V2 access token, from where can I get this value?
The idp
claim will always be present in the token issued to an External/Guest user authenticated via an Azure AD tenant regardless of whether the token version is 1 or 2. The idp
claim contains the information about the home tenant of the guest user. E.g., if an MSA user is added as a guest user in tenant1, the token issued to the user by tenant1 will contain both iss
and idp
claims, where iss
will be the tenant1 and idp
will be live.com
. If the user is a member of tenant1, the token won't include the idp
claim. Below is a snippet of v2 token with idp
claim for your reference.
- Per the current functionality, when we get the idp claim value ('live.com'), we also get the value of 'altsecid' claim. So, my question is Whether the 'altsecid' claim will be present in the token even when idp claim value is not present. If not, where can I get this value as well?
The altsecid
attribute is also associated with External/Guest identities but it is not bound with the idp
claim. That means you can get idp
claim without altsecid
claim as well. As per my testing, altsecid
is issued only for the 1st party APIs. I didn't receive this claim in the token (both v1 and v2) for the custom app exposed as API. As this is a resticted claim, you cannot use claim mapping policy to add it as optional claim.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.