Reputation: 587
How to identify user of azure ad user uniquly
I read all property of azure ad access_token, but there seems no property for uniquely identify user. Is there way to identify user by azure ad token? https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
Upvotes: 0
Views: 1914
Answers (1)
Reputation: 58898
You can use either the oid or sub claim to identify the user.
Here's what the docs says on oid:
The immutable identifier for an object in the Microsoft identity platform, in this case, a user account. It can also be used to perform authorization checks safely and as a key in database tables. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the oid claim. Thus, oid can be used when making queries to Microsoft online services, such as the Microsoft Graph. The Microsoft Graph will return this ID as the id property for a given user account. Because the oid allows multiple apps to correlate users, the profile scope is required in order to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials.
And the sub claim:
The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource, and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues, we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be desired depending on your architecture and privacy requirements. See also the oid claim (which does remain the same across apps within a tenant).
Essentially, the oid claim is the user's unique identifier in the Azure AD tenant, and is also what you use the query data related to the user from Microsoft Graph API. The sub claim is guaranteed to be unique and immutable as well, but only within that app. The user might get a different value in the sub claim when using another app. In general, I use the oid claim.
Getting the oid claim from v2 endpoint requires the profile scope.
Do note that if your API is also expected to handle applications calling your API without a user being present, their tokens will also contain oid/sub claims, but those refer to the service principal of that app in your tenant and not a user.
Upvotes: 1
Related Questions
- Getting the Full Azure AD UserID for a local User
- How to get the Azure AD objectid of the signed in user?
- Azure AD user's status
- Login users with Azure AD
- Obtain user from Azure Web App using AD authentication
- Azure AD How to get the Tenant Id from the user when he authenticated to our application
- AdalException AADSTS90122: User identifier is not present
- Get user name from Azure authenticated AD in .Net Web API
- Get User Information while Authenticating from Azure Active Directory
- Read Azure AD login user details in ASP.net