What Happens During Azure AD Token Validation: A Complete Guide
Purpose of Azure AD Token Validation
- Ensures that access tokens and ID tokens are authentic and unaltered
- Validates the identity of users, applications, or services accessing protected resources
- Prevents unauthorized access by verifying claims and token integrity
- Supports secure communication between clients and APIs using OAuth 2.0 and OpenID Connect
Note: Azure AD token validation is critical for any application or API that relies on Microsoft identity for authentication and authorization.
Prerequisites for Token Validation
- An Azure AD tenant and registered application
- A valid access token or ID token issued by Azure AD
- Knowledge of your application's
client_idandtenant_id - Access to public signing keys (via the Azure AD OpenID Connect metadata endpoint)
- A supported library or SDK for token validation (e.g., Microsoft.Identity.Web, MSAL, or JWT libraries)
Warning: Never trust tokens without validating them, even if they appear to be from Azure AD.
Step-by-Step Guide: How Azure AD Token Validation Works
1. Decode the Token
Parse the JWT token to extract header, payload (claims), and signature.
2. Retrieve Signing Keys
Obtain the public keys from Azure AD's OpenID Connect metadata endpoint (e.g., OpenID Configuration).
3. Validate the Signature
Verify the token's signature using the public key to ensure it was issued by Azure AD and not tampered with.
4. Check Token Claims
- Audience (
aud): Should match your application's client ID or API identifier - Issuer (
iss): Should match Azure AD's expected issuer URL - Expiration (
exp): Ensure the token has not expired - Not Before (
nbf): Ensure the token is active - Scope/roles: Confirm required permissions are present
5. Accept or Reject the Token
If all validations pass, grant access. Otherwise, reject the request and return an appropriate error.
Usage Examples
1. Validating Tokens in a .NET Core Web API
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
options.Authority = "https://login.microsoftonline.com/{tenant_id}/v2.0";
options.Audience = "{client_id}";
});
2. Token Validation in Node.js (Express + jsonwebtoken)
const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');
const client = jwksClient({
jwksUri: 'https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys'
});
function getKey(header, callback) {
client.getSigningKey(header.kid, function(err, key) {
var signingKey = key.publicKey || key.rsaPublicKey;
callback(null, signingKey);
});
}
jwt.verify(token, getKey, options, callback);
3. Securing a REST API Endpoint
GET /api/orders HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs...
The API validates the token before processing the request.
4. Authenticating Git Operations with Azure Repos
git clone https://<organization>@dev.azure.com/<organization>/_git/<repo>
# Git uses a Personal Access Token (PAT) or OAuth token, validated by Azure AD
Azure DevOps validates the token before granting repository access.
5. Validating Tokens in Python (Flask + PyJWT)
import jwt
from jwt.algorithms import RSAAlgorithm
public_key = RSAAlgorithm.from_jwk(jwk_json)
payload = jwt.decode(token, public_key, algorithms=['RS256'], audience='client_id')
Security Best Practices
- Always validate tokens on the server side, never on the client
- Use HTTPS for all communications to prevent token interception
- Check all critical claims:
aud,iss,exp,nbf,scope - Regularly update your libraries and dependencies to address vulnerabilities
- Implement token revocation and lifetime policies as needed
- Log failed validation attempts for audit and monitoring
Warning: Never accept tokens with invalid signatures or expired claims. Doing so exposes your application to security risks.
Feature Comparison: Access Token vs. ID Token
| Feature | Access Token | ID Token |
|---|---|---|
| Purpose | Authorize access to APIs | Authenticate the user |
Audience (aud) |
API/Application | Client Application |
| Contains User Claims | Limited | Yes |
| Used By | APIs | Client Apps |
| Issued For | Resource Access | User Authentication |
Frequently Asked Questions
The request is rejected, and the client must obtain a new token from Azure AD.
Yes, as long as you have the public signing keys and the token is not revoked. However, for critical scenarios, check token revocation status online.
Use official libraries such as Microsoft.IdentityModel.Tokens for .NET, jsonwebtoken for Node.js, and PyJWT for Python.
Implement token revocation checks by validating against Azure AD's token revocation endpoints or using short-lived tokens with refresh mechanisms.
Access tokens are validated by APIs to authorize resource access, while ID tokens are validated by client apps to authenticate users.