You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/access-tokens.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.workload: identity
12
12
ms.tgt_pltfrm: na
13
13
ms.devlang: na
14
14
ms.topic: conceptual
15
-
ms.date: 08/28/2019
15
+
ms.date: 10/22/2019
16
16
ms.author: ryanwi
17
17
ms.reviewer: hirsin
18
18
ms.custom: aaddev, fasttrack-edit
@@ -104,7 +104,7 @@ Claims are present only if a value exists to fill it. So, your app shouldn't tak
104
104
|`hasgroups`| Boolean | If present, always `true`, denoting the user is in at least one group. Used in place of the `groups` claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently 6 or more groups). Indicates that the client should use the Graph to determine the user's groups (`https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects`). |
105
105
|`groups:src1`| JSON object | For token requests that are not length limited (see `hasgroups` above) but still too large for the token, a link to the full groups list for the user will be included. For JWTs as a distributed claim, for SAML as a new claim in place of the `groups` claim. <br><br>**Example JWT Value**: <br> `"groups":"src1"` <br> `"_claim_sources`: `"src1" : { "endpoint" : "https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects" }`|
106
106
|`sub`| String, a GUID | The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource, and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues, we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be desired depending on your architecture and privacy requirements. See also the `oid` claim (which does remain the same across apps within a tenant). |
107
-
|`oid`| String, a GUID | The immutable identifier for an object in the Microsoft identity platform, in this case, a user account. It can also be used to perform authorization checks safely and as a key in database tables. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the `oid` claim. Thus, `oid` can be used when making queries to Microsoft online services, such as the Microsoft Graph. The Microsoft Graph will return this ID as the `id` property for a given user account. Because the `oid` allows multiple apps to correlate users, the `profile` scope is required in order to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials. |
107
+
|`oid`| String, a GUID | The immutable identifier for an object in the Microsoft identity platform, in this case, a user account. It can also be used to perform authorization checks safely and as a key in database tables. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the `oid` claim. Thus, `oid` can be used when making queries to Microsoft online services, such as the Microsoft Graph. The Microsoft Graph will return this ID as the `id` property for a given [user account](/graph/api/resources/user). Because the `oid` allows multiple apps to correlate users, the `profile` scope is required in order to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials. |
108
108
|`tid`| String, a GUID | Represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is `9188040d-6c67-4c5b-b112-36a304b66dad`. The `profile` scope is required in order to receive this claim. |
109
109
|`unique_name`| String | Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. This value is not guaranteed to be unique within a tenant and should be used only for display purposes. |
110
110
|`uti`| Opaque String | An internal claim used by Azure to revalidate tokens. Resources shouldn't use this claim. |
* Is a JSON object containing several useful pieces of information, such as the location of the various endpoints required for doing OpenID Connect authentication.
208
-
* Includes a `jwks_uri`, which gives the location of the set of public keys used to sign tokens. The JSON document located at the `jwks_uri` contains all of the public key information in use at that particular moment in time. Your app can use the `kid` claim in the JWT header to select which public key in this document has been used to sign a particular token. It can then do signature validation using the correct public key and the indicated algorithm.
208
+
* Includes a `jwks_uri`, which gives the location of the set of public keys used to sign tokens. The JSON Web Key (JWK) located at the `jwks_uri` contains all of the public key information in use at that particular moment in time. The JWK format is described in [RFC 7517](https://tools.ietf.org/html/rfc7517). Your app can use the `kid` claim in the JWT header to select which public key in this document has been used to sign a particular token. It can then do signature validation using the correct public key and the indicated algorithm.
209
209
210
210
> [!NOTE]
211
211
> The v1.0 endpoint returns both the `x5t` and `kid` claims, while the v2.0 endpoint responds with only the `kid` claim. Going forward, we recommend using the `kid` claim to validate your token.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/active-directory-claims-mapping.md
+6-5Lines changed: 6 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,6 @@
1
1
---
2
-
title: Customize claims for an app in an Azure AD tenant (Public Preview)
2
+
title: Customize claims for an Azure AD tenant app (Public Preview)
3
+
titleSuffix: Microsoft identity platform
3
4
description: This page describes Azure Active Directory claims mapping.
4
5
services: active-directory
5
6
author: rwike77
@@ -11,7 +12,7 @@ ms.workload: identity
11
12
ms.tgt_pltfrm: na
12
13
ms.devlang: na
13
14
ms.topic: conceptual
14
-
ms.date: 03/28/2019
15
+
ms.date: 10/22/2019
15
16
ms.author: ryanwi
16
17
ms.reviewer: paulgarn, hirsin, jeedes, luleon
17
18
ms.collection: M365-identity-device-management
@@ -460,7 +461,7 @@ In this example, you create a policy that removes the basic claim set from token
460
461
Get-AzureADPolicy
461
462
```
462
463
1. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
463
-
1. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph Explorer, sign in to your Azure AD account.
464
+
1. To see all your organization's service principals, you can [query Microsoft Graph](/graph/traverse-the-graph). Or, in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), sign in to your Azure AD account.
464
465
2. When you have the ObjectId of your service principal, run the following command:
465
466
466
467
``` powershell
@@ -484,7 +485,7 @@ In this example, you create a policy that adds the EmployeeID and TenantCountry
484
485
Get-AzureADPolicy
485
486
```
486
487
1. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
487
-
1. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph Explorer, sign in to your Azure AD account.
488
+
1. To see all your organization's service principals, you can [query Microsoft Graph](/graph/traverse-the-graph). Or, in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), sign in to your Azure AD account.
488
489
2. When you have the ObjectId of your service principal, run the following command:
489
490
490
491
``` powershell
@@ -508,7 +509,7 @@ In this example, you create a policy that emits a custom claim “JoinedData”
508
509
Get-AzureADPolicy
509
510
```
510
511
1. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
511
-
1. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph Explorer, sign in to your Azure AD account.
512
+
1. To see all your organization's service principals, you can [query Microsoft Graph](/graph/traverse-the-graph). Or, in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), sign in to your Azure AD account.
512
513
2. When you have the ObjectId of your service principal, run the following command:
0 commit comments