The ID token does not contain a tenant identifier, how does Azure AD authenticate requests to the right tenant?

The ID token does not contain a tenant identifier, how does Azure AD authenticate requests to the right tenant?

Azure Active Directory (Azure AD) is a cloud-based identity and access management service that helps secure applications, services, and infrastructure. When a user signs in to an application or service protected by Azure AD, Azure AD returns an access token and an ID token to the application or service. The access token is used to grant access to protected resources, while the ID token contains claims about the user, including their identity, groups, and other attributes.

You're correct that the ID token does not contain a tenant identifier explicitly. However, Azure AD uses other mechanisms to ensure that requests are authenticated to the correct tenant.

When a user signs in to an application or service, Azure AD checks the sign-in request against the list of tenants associated with the application or service. This list is configured in the Azure portal when you register the application or service with Azure AD. If the tenant in the sign-in request matches one of the tenants associated with the application or service, Azure AD proceeds with the authentication process.

Additionally, Azure AD uses the domain of the user's sign-in name to determine the tenant. For example, if the user signs in with the email address [email protected], Azure AD assumes that the user belongs to the Contoso tenant. If there is no matching tenant in the list of tenants associated with the application or service, or if the user's domain does not match any of the tenants, Azure AD returns an error.

In summary, Azure AD uses a combination of the list of tenants associated with the application or service and the domain of the user's sign-in name to authenticate requests to the right tenant, even though the ID token does not contain a tenant identifier explicitly.