unique_name claim - which user attribute?

Asked 22/8, 2018 at 23:48 Answered 23/8, 2018 at 6:24

Solved azure-active-directory azure-ad-graph-api

The id_token contains a claim whose name is unique_name. Its value appears to be the same as that of the upn claim. Which User entity attribute provides the value for this claim?

Pas answered 22/8, 2018 at 23:48 Comment(1)

Does this answer your question? What JWT claims from Azure AD tokens can be safely used for user mappings? – Wheelbarrow 2/2, 2022 at 5:13

Based on my observations, the upn claim does not show up for guest users. The unique_name however does show up for all users.

It is not always something that can be displayed, for example for a Guest I added it looks like this:

live.com#[email protected]

So in this case it is actually a personal MS account, as indicated by the live.com# prefix.

In the case of a guest from another AAD, the value is their UPN with no prefix.

Though that said if you need a unique identifier for the user that does not change, you can use either the oid or sub claims. The former is the object id for the user which can be used in calls to MS Graph API for example, while the latter is a unique identifier for the user in context to your app. So the object id will be the same across all apps, and the subject will be unique within one app.

Fellah answered 23/8, 2018 at 6:24 Comment(3)

Addendum: unique_name and upn are both part of the OpenID Connect 1.0 Protocol Extensions, and indeed unique_name is a required claim, while upn is not: learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/… – Fleury 30/11, 2023 at 1:34

Before learning about this, we experimented with the standard email claim, but we encountered AAD tenants where the email claim existed only for guests, not for regular users. – Fleury 30/11, 2023 at 1:36

The unique_name claim is a v1 endpoint claim, make sure that your application is configured to use the /oauth2/v2.0/authorize endpoint rather than the v1 /oauth/authorize endpoint if you want to get upn claim instead of the unique_name claim for guest users containing live.com#first.last format – Keramic 28/2 at 19:2

The unique_name claim is a unique identifier for that can be displayed to the user, this is usually a user principal name (UPN) in id-token. And many of the tokens issued by Azure AD are implemented as JSON Web Tokens, or JWTs. For the details, please read Azure AD token.

Cookout answered 23/8, 2018 at 1:21 Comment(0)

Recommended topics

Hot tags