Microsoft JWT iss set to sts.windows.net even after changing accessTokenAcceptedVersion to 2

Question

I created a new app service and set accessTokenAcceptedVersion to 2 in manifest.json as I am looking for a v2 token similar to here. However the accessToken generated by Microsoft always has an iss value of sts.windows.net when decoded. I would like it to be login.microsoftonline.com. Please advice.

This is my implementation:

This is my token when decoded:

Please advice.

Answer 1

Please see this part (just in the link you shared):

Resources always own their tokens (those with their aud claim) and are the only applications that can change their token details. This is why changing the access token optional claims for your client does not change the access token received when a token is requested for user.read, which is owned by the Microsoft Graph resource.

It means that the accessTokenAcceptedVersion setting should be configured in the service-side app registration rather than client-side app registration.

For an Microsoft Graph token, we are unable to configure it in the service side because the Microsoft Graph app registration is officially managed by Microsoft.

Configuring accessTokenAcceptedVersion in your client-side won't change the token version to 2. It is expected.

This feature is mainly used when you call you own AAD protected web API, rather than Microsoft official API.

---

UPDATE:

If you want to call you own API, you should create the service-side app registration by Protected web API: App registration and set accessTokenAcceptedVersion in it.

Here is the complete document for Scenario: A web app that calls web APIs.