The ID token does not contain a tenant identifier. How can a tenant-specific application access protected resources in Azure AD?

The ID token does not contain a tenant identifier. How can a tenant-specific application access protected resources in Azure AD?

When an application wants to access protected resources in Azure Active Directory (AAD), it typically follows the OAuth 2.0 authorization code flow or the OpenID Connect flow to obtain an access token and an ID token. The access token is used to access the protected resources, while the ID token contains various claims, including the subject (the identity of the authenticated user), issuer (Azure AD), and expiration time.

However, you're correct that the ID token does not contain a tenant identifier explicitly. Instead, the tenant information is implicitly included in the issuer URL of the ID token. The issuer URL consists of the tenant ID and the instance of Azure AD. For example, if your tenant ID is "contoso.onmicrosoft.com" and you're using the public Azure AD instance, the issuer URL would be "https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0".

When your tenant-specific application wants to access protected resources, it should ensure that it trusts the issuer URL of the ID token. By checking the issuer URL, your application can determine whether the ID token was issued by your tenant's Azure AD instance or not. If the issuer URL matches your tenant's Azure AD instance, your application can trust the ID token and use it to authenticate the user and authorize access to the protected resources.

In summary, even though the ID token does not contain a tenant identifier explicitly, your application can still access protected resources in Azure AD by checking the issuer URL of the ID token to ensure that it was issued by your tenant's Azure AD instance.