Vault Azure OIDC Integration Issue

Hello Team,

I have been trying to integrate Azure AD along with Vault using the below link,

But after configuration when I try to login it gives me “claim email not found in token”.

When I define the oidc scope as email while writing the role details in oidc auth instead of graph api then the issue is resolved and I am able to retrieve the token. Reference of the step mentioned below,

vault write auth/oidc/role/approle

From Azure side I have verified the steps and we are good on that side. So, kindly let me know if anyone has any idea around this.

Post the JWT you get back from Azure-AD. You might have to run your code through a mitmproxy to get it.

That error message is telling you the problem : the JWT you are getting back from AzureAD does not have the email claim in it.

Vault looks for the claim in the ID token. Make sure it’s in it, with the exact same name.