Country Attribute is not getting Emitted in the token

Adamgo Trinitron 5 Reputation points
2023-11-06T22:59:55.8566667+00:00

I am running into the issue described in this docbug:

https://github.com/MicrosoftDocs/azure-docs/issues/26573

It seems that if the value of a user's country attribute is anything other than a two-character string, that value is rejected and ANY user claims that refer to user.country, including...

  • the OIDC ctry claim
  • any custom claims that directly refer to user.country
  • Any custom claim that has a transformation that includes user.country as one of the values

...will not have a value for the country passed in the JWT token.

According to https://video2.skills-academy.com/en-us/entra/identity-platform/optional-claims-reference#v10-and-v20-optional-claims-set, the rules for the optional ctry claim are as follows:

ctry User's country/region JWT This claim is returned if it's present and the value of the field is a standard two-letter country/region code, such as FR, JP, SZ, and so on.

This seems like a bug. It appears that whatever code within Entra ID is performing the validation on populating the ctry attribute is doing the validation early, once it picks up the value of user.country from Entra ID. Instead, it seems as if the validation should be done later at the time the ctry claim is dropped into the JWT token. In that case, any non-two-character code would be rejected for the ctry claim, but wherever user.country is used for custom claims (transformed or not), the value would get passed to the JWT token.

Here's where it's impacting us (and I'm assuming other organizations). Microsoft 365 expects the user.country attribute to be the spelled-out name of the country, not the two-character ISO abbreviation. See https://video2.skills-academy.com/en-us/microsoft-365/enterprise/configure-user-account-properties-with-microsoft-365-powershell?view=o365-worldwide as an example of where Microsoft has documented this. As such, our users have that attribute populated with values such as "Canada" and "Germany", rather than "CA" and "DE". Any custom claims that use user.country are effectively NULL. Please "shift right" on the validation logic. Thanks.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,926 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,539 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,456 Reputation points
    2023-11-23T20:21:57.68+00:00

    Hello @Adamgo Trinitron and thanks for your spotting the country value being output as null even for custom claims. I will reach the product team to discuss if exposing non ISO values in custom claims is in their roadmap and will come back with and update.

    In the meantime you might try implementing a custom claim provider token which will allow you to feed Entra ID with the country value in its original form so that you can expose it in a custom claim.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.