Share via

Unable to Configure sub Claim as Email in Azure AD Access Token (App Registration)

Sanket Mahajan 0 Reputation points
2026-04-08T07:13:04.9433333+00:00

We are integrating Azure AD (Microsoft Entra ID) as an Identity Provider using OAuth 2.0 for Tableau Cloud. The integration is configured using an Azure AD App Registration, and we are using the access token issued by Azure AD for authentication with the target system.

The target system requires that the sub claim in the token must contain the user’s email address.

During our testing with Azure AD access tokens, we observed that the sub claim is automatically generated as an opaque identifier and does not match the user’s email address.

We would like confirmation on the following:

Is it possible in Azure AD (via App Registration or any token configuration settings) to override or configure the sub claim so that it contains the user’s email address instead of the default identifier?

If this is not supported in standard Azure AD App Registrations, please advise if there are any supported approaches to achieve this behaviour.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rukmini 35,170 Reputation points Microsoft External Staff Moderator
    2026-04-08T07:18:31.6+00:00

    Hello Sanket Mahajan

    • In Azure AD / Microsoft Entra ID, the sub claim is immutable and cannot be changed or mapped to another attribute (like email). It is an opaque, app‑specific identifier.

    https://dotnet.territoriali.olinfo.it/sk-sk/entra/identity-platform/id-token-claims-reference?

    User's image

    Hence try the below:

    • Keep sub as the unique identifier.
    • Use email, upn, or preferred_username claims (via optional claims) if the target system requires the user’s email.
    • Only Azure AD B2C with custom policies allows overriding sub.
    • In Azure AD / Microsoft Entra ID, the sub claim is immutable and cannot be changed or mapped to another attribute (like email). It is an opaque, app‑specific identifier.
    • Keep sub as the unique identifier.
    • Use email, upn, or preferred_username claims (via optional claims) if the target system requires the user’s email.
      • Only Azure AD B2C with custom policies allows overriding sub.

    If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments
  2. Q&A Assist
    2026-04-08T07:13:22.5366667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Azure AD (Microsoft Entra ID) does not support changing the semantics of the sub claim in OAuth2/OIDC tokens. The sub (subject) claim is designed to be a stable, opaque, non-reassignable identifier for the security principal, not a human-readable attribute such as email.

    From the token behavior:

    • The sub claim is the principal about which the token asserts information and is intended to be immutable and safely usable for authorization decisions.
    • By design, it is not meant to be an email address or any other mutable user attribute.

    “The Subject (sub) claim – The principal about which the token asserts information, such as the user of an application. This value is immutable and can't be reassigned or reused. It can be used to perform authorization checks safely…”

    Because of this design, there is no supported configuration in a standard Microsoft Entra ID app registration (or token compatibility settings) to:

    • Override sub to contain the user’s email, or
    • Map sub to any other user attribute.

    Supported approaches instead are:

    • Use sub or oid as the stable identifier for the user, and use other claims (such as email, upn, or custom/optional claims) for the email address.
    • If the target system requires email in sub, that system is not aligned with the OIDC/JWT best practices for sub. The recommended pattern is to configure the target system to:
      • Use sub or oid as the unique key, and
      • Use email (or another claim) for the email address.

    Microsoft explicitly recommends not using human-readable data (like email) as the primary identifier and instead using sub or oid:

    “Your application mustn't use human-readable data to identify a user. You can use extension claims provided by Microsoft, such as the sub and oid claims.”

    Therefore:

    • It is not possible or supported to configure sub to be the user’s email in Azure AD access tokens.
    • The supported approach is to keep sub/oid as the stable identifier and adjust the relying party (Tableau Cloud) configuration or integration logic to use email from a different claim while using sub/oid as the unique ID.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.