1. i requested scopes openid, email separately and get an id token, in response of the oauth2.0 process and can decode it to retrieve user email
2. While if i have openid scope added to the app , and request ./default scope, i don't get any id token

Why doesn't defaul with granted openid give an id token?

1. i requested scopes openid, email separately and get an id token, in response of the oauth2.0 process and can decode it to retrieve user email
2. While if i have openid scope added to the app , and request ./default scope, i don't get any id token

Why doesn't defaul with granted openid give an id token?

• azure-active-directory
• microsoft-graph-api

• Could you include what authentication flow you are using to generate tokens? – Sridevi Commented Feb 10 at 10:44
• oauth2.0 single tenant microsoft entra app with admin consent – codex Commented Feb 10 at 11:43
• Are you using delegated flows like authorization code flow? – Sridevi Commented Feb 10 at 11:46

1 Answer 1

Initially, I registered one application and granted below API permissions in it:

Now, I ran below authorization request in browser with /.default scope to get code value:

https://login.microsoftonline/tenantId/oauth2/v2.0/authorize? 
client_id=appId
&response_type=code  
&redirect_uri=https://jwt.ms
&response_mode=query  
&scope=https://graph.microsoft/.default
&state=12345

When I requested tokens with /.default scope, I too got only access token in response without ID token:

POST https://login.microsoftonline/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
scope: https://graph.microsoft/.default
code:<code_from_above_Step>
redirect_uri: https://jwt.ms

Note that, openid, profile, email and offline_access are OpenID Connect (OIDC) scopes.

• When you request /authorize endpoint with ./default scope, it aggregates the delegated permissions granted to the app for Microsoft Graph API or other APIs and does not trigger OpenID Connect (OIDC) behavior for authentication.
• To get ID token, make sure to explicitly request openid scope in the /authorize request.

In my case, I explicitly included openid and email in scopes of authorization request while getting code value:

https://login.microsoftonline/tenantId/oauth2/v2.0/authorize? 
client_id=appId
&response_type=code  
&redirect_uri=https://jwt.ms
&response_mode=query  
&scope=https://graph.microsoft/.default openid email
&state=12345

When I requested tokens with ./default scope, I got response with both access token and ID token as below:

POST https://login.microsoftonline/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
scope: https://graph.microsoft/.default
code:<code_from_above_Step>
redirect_uri: https://jwt.ms

Response:

When I decoded this ID token in jwt.ms website, it has signed-in user's email as below:

In your case, make sure to explicitly include openid and email in scope parameter of authorization request. If authentication is done like that, you can get both tokens with /.default scope too.

Reference:

Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn