I’m looking for a unique human readable field that can be used for users without email addreses.
It needs to be human readable, as it’s to identify users that sign their ssh public keys with Vaults ssh ca. The claim field ends up in /var/log/secure, then forwarded to our SIEM. I don’t want the extra effort of needing to lookup up a uid from Azure to identify users…
At the moment, no field in the token looks like it’s usable for this use case apart from email address.