JWT Token with Issuer and Audience for One Azure Tenant Used by Another Tenant in SCIM Application

Question

I am configuring Azure User provisioning for my .NET Core web API project. I have created a sample SCIM application and deployed it on a Windows server. A specific token is generated for the application within a particular tenant. The token has the following issuer and audience:

• Issuer: https://sts.windows.net/My_TenantId
• Audience: Application ID d0d2ce47-8775-4a20............d0d2ce47..

When I test the connection for the tenant with the corresponding URL and valid token, it works as expected. However, the problem arises when I test the connection with an application inside a different tenant. Surprisingly, the connection is still successful.

The following tenantId I have used with the application Id as mentioned below and It's working fine. enter image description here

But the problem is that it is working with another Tenant as well.

Expected result :- When I generate the token for one tenant, it should work only for the applications which exists in that tenant. Test connection should fail for other tenants if the token is not generated for them.

Answer 1

Your application should be the one generating the token being used - either long-lived bearer tokens (format doesn't matter - JWT or any other is fine) or OAuth 2.0 access tokens. There is no validation of the provided token(s) that takes place for Entra ID provisioning - the value entered is passed in the Authorization header of the HTTP requests, in the form of Authorization Bearer . Your application should be handling both the issuing of tokens and if they are authorized.