Can't get email claim in access_token in Azure AD

Question

We have configured an App Registration for the SPA in Azure, for Auth Code flow.

We have added email under optional claims as per below:

The manifest file is configured as below:

{
    "id": "<redacted>",
    "acceptMappedClaims": true,
    "accessTokenAcceptedVersion": 1,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "<redacted>",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2020-12-03T10:30:07Z",
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": "None",
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "<redacted>",
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": {
        "idToken": [],
        "accessToken": [
            {
                "name": "email",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "saml2Token": []
    },
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "<redacted>",
    "replyUrlsWithType": [
        {
            "url": "https://localhost:44338",
            "type": "Spa"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "<redacted>",
            "resourceAccess": [
                {
                    "id": "<redacted>",
                    "type": "Scope"
                },
                {
                    "id": "<redacted>",
                    "type": "Scope"
                },
                {
                    "id": "<redacted>",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "<redacted>",
            "resourceAccess": [
                {
                    "id": "<redacted>",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADMyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null
}

We have added the email to the permissions:

And finally on the client side I use MSAL browser to initiate authentication with the following scopes supplied:

However, I can't for the life of me figure out why the email claim is not appearing in the access_token

Answer 1

Please see v1.0 and v2.0 optional claims set.

When adding claims to the access token, the claims apply to access tokens requested for the application (a web API), not claims requested by the application.

It means that you email claim apply to the scene that you call your own web API, not call Microsoft Graph API.

You can see details from Protected web API: App registration.

You should configure the email optional claim in the Azure AD app which represents the web API, not the Azure AD app which represents the client end. Then when you request the access token for that API, the email claim will exist in the access token.

Set scope=api://{app id of the AAD app which represents the web api}/.default openid instead of scope=http://graph.microsoft.com/.default openid in the request.

So for calling Microsoft Graph API, you cannot use the built-in email optional claim directly. You need to query the email by calling Microsoft Graph GET https://graph.microsoft.com/v1.0/me/ or use another claim upn in access token.