question

Geethanjali-3659 avatar image
0 Votes"
Geethanjali-3659 asked Geethanjali-3659 commented

Alternative claim value for idp from AAD V2 access token

Have a question on the 1P token migration from V1 to V2 endpoint. Have created a test application with V2 version which has AAD and MSA users as audience and was able to generate token successfully. But I see that the idp (http://schemas.microsoft.com/identity/claims/identityprovider) claim is not available in the generated access token.
From the documentation Microsoft Identity Platform, I came to know that we can use the iss value instead of idp claim. But have below questions on the same.

  1. If a personal account (MSA) is used in AAD tenant, then usually we will be getting idp claim value as 'live.com'. For this scenario, if the idp claim is not available in the V2 access token, from where can I get this value?

  2. Per the current functionality, when we get the idp claim value ('live.com'), we also get the value of 'altsecid' claim. So, my question is Whether the 'altsecid' claim will be present in the token even when idp claim value is not present. If not, where can I get this value as well?



azure-ad-adal-deprecation
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered Geethanjali-3659 commented

Hi @Geethanjali-3659 • Thank you for reaching out. Please find my response inline.

  • If a personal account (MSA) is used in AAD tenant, then usually we will be getting idp claim value as 'live.com'. For this scenario, if the idp claim is not available in the V2 access token, from where can I get this value?

The idp claim will always be present in the token issued to an External/Guest user authenticated via an Azure AD tenant regardless of whether the token version is 1 or 2. The idp claim contains the information about the home tenant of the guest user. E.g., if an MSA user is added as a guest user in tenant1, the token issued to the user by tenant1 will contain both iss and idp claims, where iss will be the tenant1 and idp will be live.com. If the user is a member of tenant1, the token won't include the idp claim. Below is a snippet of v2 token with idp claim for your reference.
199149-image.png

  • Per the current functionality, when we get the idp claim value ('live.com'), we also get the value of 'altsecid' claim. So, my question is Whether the 'altsecid' claim will be present in the token even when idp claim value is not present. If not, where can I get this value as well?

The altsecid attribute is also associated with External/Guest identities but it is not bound with the idp claim. That means you can get idp claim without altsecid claim as well. As per my testing, altsecid is issued only for the 1st party APIs. I didn't receive this claim in the token (both v1 and v2) for the custom app exposed as API. As this is a resticted claim, you cannot use claim mapping policy to add it as optional claim.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (19.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Geethanjali-3659 avatar image Geethanjali-3659 ·

Thank you for the detail explanation. Appreciate the help...!!

0 Votes 0 ·