The jwt token created by my External entra id tenant keeps changing issuer format

Question

When looking at the issuer in the https://<tenant>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration endpoint, it comes back as:

https://<tenant-id>.ciamlogin.com/<tenant-id>/v2.0

Sometimes, this is indeed the issuer that comes back in the jwt token and it works fine. However, periodically, it switches to:

https://login.microsoftonline.com/<tenant-id>/v2.0

This obviously makes it quite difficult to guard the api. Why does this keep changing and how do I configure entra so that this stays the same?

Answer 1

Hello @Daniel Lerner,

Thank you for posting your query on Microsoft Q&A.

Based on your issue description, I understand that when you are looking at the Issuer URL in the https://<tenant>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration endpoint, it comes back as:

https://<tenant-id>.ciamlogin.com/<tenant-id>/v2.0

Sometimes, this is indeed the issuer that comes back in the jwt token and it works fine. However, periodically, it switches to:

https://login.microsoftonline.com/<tenant-id>/v2.0.

Please note that this change is occurring due to a difference between Azure AD B2C and Microsoft Entra ID configurations.

• Azure AD B2C is designed for customer-facing apps and typically uses the ciamlogin.com endpoint in the Issuer URL. However, when your authentication flow falls back to the Microsoft identity platform (via login.microsoftonline.com), it could be because certain settings in your configuration have changed, or the system is switching to a different flow (like organizational users in a Microsoft 365 environment).
• Sometimes, Entra ID and Azure AD B2C endpoints can overlap or switch based on which authentication method is being used (whether it's a personal Microsoft account, Microsoft Entra ID account, or an external identity provider).

To ensure consistency and prevent the change in the Issuer URL, please make sure to check on the following aspects as mentioned below:

1.Single Identity Platform:

Please make sure that your API, authentication flow, and the application are consistently using the same identity platform. You should choose to either use Azure AD B2C (with ciamlogin.com endpoints) or Microsoft Entra ID (with login.microsoftonline.com endpoints) and stick with one.

2.Check App Registration Settings:

Please ensure that the app is registered in the correct directory(tenant) and that all settings (like redirect URIs, token lifetimes, etc.) are consistent with what you'd expect for either Azure AD B2C or Microsoft Entra ID. If you’re using Azure AD B2C, please make sure that you’re not involving another Microsoft Entra ID tenant.

3.Entra ID Configuration for Custom Policies:

If you're using custom policies in Azure AD B2C, please ensure that your policies are correctly configured and aren’t introducing any cross-tenant issues that might cause the Issuer URL to change.

In addition to the above mentioned points, you can also define a technical profile for a JWT token issuer in an Azure Active Directory B2C custom policy with the help of the below mentioned document for your reference.

Define a technical profile for a JWT issuer in a custom policy - Azure AD B2C | Microsoft Learn

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".