Vault Azure AD with OIDC - claim "upn" not found in token

Hi All,

I’m following the guide here: Azure Active Directory with OIDC Auth Method and External Groups | Vault - HashiCorp Learn

Authentication works correctly when I use user_clam=“email” as specified in the guide.

I would like to use user_claim=“upn”, as not all of our users have an email account.

In Azure AD,
under App Registrations → API Permissions: I’ve given ‘Microsoft Graph’, profile and User.Read permisions.

under Token configuration, I’ve added optional claim upn, for ID, Access and SAML Types - because I didn’t know which one was correct.

I can see in the manifest:

"optionalClaims": {
		"idToken": [
			{
				"name": "upn",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [
			{
				"name": "upn",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"saml2Token": [
			{
				"name": "upn",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		]
	}

I’ve updated the oidc role to use user_claim=“upn”:

vault write auth/oidc/role/${VAULT_LOGIN_ROLE} \
   user_claim="upn" \
   allowed_redirect_uris="http://localhost:8250/oidc/callback" \
   allowed_redirect_uris="${VAULT_ADDR}/ui/vault/auth/oidc/oidc/callback"  \
   groups_claim="groups" \
   policies="kv-reader" \
   oidc_scopes="https://graph.microsoft.com/.default"

But when a users attempts to login

vault login -method=oidc

They get an error: claim “upn” not found in token

I’ve enabled verbose_oidc_logging and log_level=Debug, and confirm that the upn field is not returned in the token.

Is there something I am missing?

Have a look at this thread, it might provide some insight: Azure OIDC Group claim not found, now working but why?!?! - #3 by s.smith1

Thanks for responding, I had not seen that post, but in this case, unfortunately it does not help.

I am using:

   user_claim="upn" 
   groups_claim="groups" 

The groups come through in the token, and I can assign an external group.

I switched to groups_claim="roles", but it did not make any difference - UPN field is still missing.

Under API Permissions, I added the permission Directory.Read.All.

Under Token Configuration, for optional claims, I selected all claims for ID, access and SAML.

Still no UPN field

Is the attribute “onpremises_user_principal_name” or “user_principal_name” present in the claim?

I use those via Terraform’s AzureAD User data source, not sure if the attributes come across that way in the claim, however.

I’m looking for a unique human readable field that can be used for users without email addreses.

It needs to be human readable, as it’s to identify users that sign their ssh public keys with Vaults ssh ca. The claim field ends up in /var/log/secure, then forwarded to our SIEM. I don’t want the extra effort of needing to lookup up a uid from Azure to identify users…

At the moment, no field in the token looks like it’s usable for this use case apart from email address.

I’m not an AzureAD OIDC expert but I did find a few interesting bits of information.

There’s an attribute called “name” that is included with the claim when the “profile” permission is granted. See Microsoft’s Claims in an ID Token doc’s payload claims section. HashiCorp also has the “profile” permission documented for some optional AzureAD functionality as well.

However, UPN is an optional attribute that can be enabled on the Azure side of things from what I understand from Microsoft’s Optional Claims documentation.

I think you’ll be able to fulfill your requirements but it might take some updates on the Azure side to get fully up and running.