You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/access-tokens.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -104,7 +104,7 @@ Claims are present only if a value exists to fill it. So, your app shouldn't tak
104
104
|`hasgroups`| Boolean | If present, always `true`, denoting the user is in at least one group. Used in place of the `groups` claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently 6 or more groups). Indicates that the client should use the Graph to determine the user's groups (`https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects`). |
105
105
|`groups:src1`| JSON object | For token requests that are not length limited (see `hasgroups` above) but still too large for the token, a link to the full groups list for the user will be included. For JWTs as a distributed claim, for SAML as a new claim in place of the `groups` claim. <br><br>**Example JWT Value**: <br> `"groups":"src1"` <br> `"_claim_sources`: `"src1" : { "endpoint" : "https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects" }`|
106
106
|`sub`| String, a GUID | The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource, and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues, we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be desired depending on your architecture and privacy requirements. See also the `oid` claim (which does remain the same across apps within a tenant). |
107
-
|`oid`| String, a GUID | The immutable identifier for an object in the Microsoft identity platform, in this case, a user account. It can also be used to perform authorization checks safely and as a key in database tables. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the `oid` claim. Thus, `oid` can be used when making queries to Microsoft online services, such as the Microsoft Graph. The Microsoft Graph will return this ID as the `id` property for a given user account. Because the `oid` allows multiple apps to correlate users, the `profile` scope is required in order to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials. |
107
+
|`oid`| String, a GUID | The immutable identifier for an object in the Microsoft identity platform, in this case, a user account. It can also be used to perform authorization checks safely and as a key in database tables. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the `oid` claim. Thus, `oid` can be used when making queries to Microsoft online services, such as the Microsoft Graph. The Microsoft Graph will return this ID as the `id` property for a given [user account](/graph/api/resources/user). Because the `oid` allows multiple apps to correlate users, the `profile` scope is required in order to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials. |
108
108
|`tid`| String, a GUID | Represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is `9188040d-6c67-4c5b-b112-36a304b66dad`. The `profile` scope is required in order to receive this claim. |
109
109
|`unique_name`| String | Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. This value is not guaranteed to be unique within a tenant and should be used only for display purposes. |
110
110
|`uti`| Opaque String | An internal claim used by Azure to revalidate tokens. Resources shouldn't use this claim. |
Copy file name to clipboardExpand all lines: articles/active-directory/develop/active-directory-claims-mapping.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ ms.workload: identity
11
11
ms.tgt_pltfrm: na
12
12
ms.devlang: na
13
13
ms.topic: conceptual
14
-
ms.date: 03/28/2019
14
+
ms.date: 10/22/2019
15
15
ms.author: ryanwi
16
16
ms.reviewer: paulgarn, hirsin, jeedes, luleon
17
17
ms.collection: M365-identity-device-management
@@ -460,7 +460,7 @@ In this example, you create a policy that removes the basic claim set from token
460
460
Get-AzureADPolicy
461
461
```
462
462
1. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
463
-
1. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph Explorer, sign in to your Azure AD account.
463
+
1. To see all your organization's service principals, you can [query Microsoft Graph](/graph/traverse-the-graph). Or, in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), sign in to your Azure AD account.
464
464
2. When you have the ObjectId of your service principal, run the following command:
465
465
466
466
``` powershell
@@ -484,7 +484,7 @@ In this example, you create a policy that adds the EmployeeID and TenantCountry
484
484
Get-AzureADPolicy
485
485
```
486
486
1. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
487
-
1. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph Explorer, sign in to your Azure AD account.
487
+
1. To see all your organization's service principals, you can [query Microsoft Graph](/graph/traverse-the-graph). Or, in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), sign in to your Azure AD account.
488
488
2. When you have the ObjectId of your service principal, run the following command:
489
489
490
490
``` powershell
@@ -508,7 +508,7 @@ In this example, you create a policy that emits a custom claim “JoinedData”
508
508
Get-AzureADPolicy
509
509
```
510
510
1. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
511
-
1. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph Explorer, sign in to your Azure AD account.
511
+
1. To see all your organization's service principals, you can [query Microsoft Graph](/graph/traverse-the-graph). Or, in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), sign in to your Azure AD account.
512
512
2. When you have the ObjectId of your service principal, run the following command:
0 commit comments