How to retreive application display name from an oauth access token?

AzureSDE 116 Reputation points
2021-06-25T04:50:15.657+00:00

We have internal client applications that access our asp.net core web api using Oauth Client Credential flow. We want to be able log the name of the client application that submits the request. However, the application name (the display name on the azure application registration) is not included in the access token. I am guessing we could use the value of the claim 'azp', which appears to be the object id of the client application. However, I am not sure if this is the right approach since I could not find an MSAL class/method that would let me access the application name.

What's the best way to get the name of the client application when the access token only contains the object/client id?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,417 questions
Accepted answer
  1. Danstan Onyango 3,736 Reputation points Microsoft Employee
    2021-06-28T11:03:31.217+00:00

    There is a similar thread here that should help. You are able to configure what claims are in the access token and customize them. Quoting from the docs:

    Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is the Microsoft Graph API. Thus, the access token is created using the Microsoft Graph API manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for the Microsoft Graph API to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.

    Check How to: Provide optional claims to your app for and Customize claims emitted in tokens for a specific app in a tenant to see if these can help.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AzureSDE 116 Reputation points
    2021-06-29T23:20:42.13+00:00

    Could someone please point me to where I can find a sample of the ClaimsSchema for application with 'application name' as a custom claim? Based on the sample active-directory-claims-mapping but the ClaimsSchema, this is what I have but I do not see 'appname' listed in the access token. I expected to see a new claim 'appname' added to the access token with the value of the application display name on the app registrations. 

    New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"MyApiClaimsMappingPolicy":"true", "ClaimsSchema": [{"Source":"application","ID":"applicationName","JwtClaimType":"app_displayname","JwtClaimType":"appname"}]}}') -DisplayName "MyApiClaimsMappingPolicy" -Type "ClaimsMappingPolicy"
    0 comments