Share via

How can I include an email claim in an Open ID token for the managed account in Entra ID?

Tony Mee 0 Reputation points
2024-11-22T11:33:00.66+00:00

I registered a multi-tenant application in my own tenant of Microsoft Entra ID. I configured email and openid as API Permissions. I tried the device code grant flow with this application.

I specified email and openid as scope in the v2.0/devicecode endpoint and obtained a user code, device code, and verification URL. I accessed the verified URL in a browser, entered the user code, signed in with my Outlook.com personal account, and consented to 'View your email address' and 'Sign you in'.

I then passed the device code to the v2.0/token endpoint and obtained an access token and id token as expected. I decoded the id token as JWT and confirmed that the payload contained an email claim.

Next, I tried the same thing with a managed account, that is, a user in the tenant where the application was registered. It was the same as with a personal account, up until the point where I entered the user code in the verification URL and logged in to the managed account. However, something strange happened here.

I was expecting to be asked for consent to 'View your email address' and 'Sign you in', just like with a personal account, but in fact I was asked for consent to 'View your basic profile' and 'Maintain access to data you have given it access to'. The scope I requested was email and openid as same as before. I was curious about the difference from the personal account, but I went ahead with the steps anyway.

When I passed the device code to the v2.0/token endpoint and decoded the id token obtained, there was no email claim this time. The email property of the signed-in managed account is set to the correct address. In fact, I can obtain this address as email by accessing the userinfo endpoint.

According to Microsoft's document, specifying the email scope allows the email claim to be included in the id token as long as the user is associated with an email address. I also tried specifying email as an optional claim in the token configuration, but the result was the same.

Is there any other setting required for managed accounts to include the email claim in the id token? Or are there other settings for the tenant, user, and application that prevent the email claim from being included in the id token for managed accounts?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,318 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 13,055 Reputation points Microsoft Vendor
    2024-11-25T20:36:58.7166667+00:00

    Hi @Tony Mee

    Thank you for posting this in Microsoft Q&A.

    I understand that you have included email and OpenID as API permissions and scopes while making a request to the device code flow endpoint.

    When using a personal account, it asks for consent to 'View your email address' and 'Sign you in.' However, when using managed accounts, it requests consent to 'View your basic profile' and 'Maintain access to data you have given it access to.'

    The OpenID scope appears on the work account consent page as the 'Sign you in' permission. This permission gives the app access to the UserInfo endpoint. Therefore, when using managed accounts, it requests consent for 'View your basic profile' and 'Maintain access to data you have given it access to.'

    How can I include an email claim in an OpenID token for the managed account in Entra ID?

    By default, guest accounts that have an email address. In the first scenario, since you are using Outlook, you are receiving the email in the token. You can also get the email claim for managed accounts. To obtain the email claim in the token for managed accounts, the email attribute must be associated with the user account in the user properties. Otherwise, no email claim will exist in the token.

    Could you please cross-check whether the managed account has the email attribute associated with it?

    For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#:~:text=The%20openid%20scope,in%20the%20token.

    https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.