https://github.com/lazauk/aifoundry-entraid-accesstokens

Practical Jupyter notebook to demo the analysis of Entra ID tokens generated for Azure AI Foundry resource scope.
https://github.com/lazauk/aifoundry-entraid-accesstokens

access-token ai auths azure claims entra-id foundry jwt-token

Last synced: about 1 month ago
JSON representation

Practical Jupyter notebook to demo the analysis of Entra ID tokens generated for Azure AI Foundry resource scope.

• Host: GitHub
• URL: https://github.com/lazauk/aifoundry-entraid-accesstokens
• Owner: LazaUK
• License: mit
• Created: 2025-09-04T16:32:21.000Z (about 1 month ago)
• Default Branch: main
• Last Pushed: 2025-09-07T13:38:18.000Z (about 1 month ago)
• Last Synced: 2025-09-07T15:24:58.678Z (about 1 month ago)
• Topics: access-token, ai, auths, azure, claims, entra-id, foundry, jwt-token
• Language: Jupyter Notebook
• Homepage:
• Size: 17.6 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Azure Entra ID: Decoding JWT Access Tokens

Azure Entra ID (formerly Azure Active Directory) issues JWT access tokens, which contain various claims, e.g. group memberships. This guide walks you through on how to obtain such a token and decode it using Python.

> [!NOTE]

> This is especially useful when troubleshooting access issues or validating conditional access policies based on group claims.

## 📑 Table of Contents:

- [1. How to Obtain an Access Token from Entra ID](#1-how-to-obtain-an-access-token-from-entra-id)

- [2. How to Decode the Token Using Python](#2-how-to-decode-the-token-using-python)

- [3. Understanding Key JWT Claims](#3-understanding-key-jwt-claims)

## 1. How to Obtain an Access Token from Entra ID

You can obtain an access token using various flows (e.g., client credentials, authorisation code). For testing purposes, the easiest way to get a valid token for your Azure AI Foundry resource is to use the following Azure CLI command:

``` Shell

az account get-access-token --resource https://cognitiveservices.azure.com --query "accessToken" --output tsv

```

## 2. How to Decode the Token Using Python

Once you have the token, you can decode it using Python:

``` Python

import base64

import json

token = ""

payload = token.split('.')[1]

payload += '=' * (-len(payload) % 4)

decoded = base64.urlsafe_b64decode(payload)

claims = json.loads(decoded)

print(json.dumps(claims, indent=4))

```

This will print all claims in a readable JSON format.

``` JSON

{

  "aud": "https://cognitiveservices.azure.com",

  "iss": "https://sts.windows.net//",

  "iat": 1756999941,

  "nbf": 1756999941,

  "exp": 1757004709,

  "acr": "1",

  "aio": "",

  "altsecid": "",

  "amr": [

    "rsa",

    "mfa"

  ],

  "appid": "",

  "appidacr": "0",

  "deviceid": "",

  "email": "@domain.com",

  "family_name": "",

  "given_name": "",

  "groups": [

    "",

    "",

    "",

    "",

    "",

    ""

  ],

  "idp": "https://sts.windows.net//",

  "idtyp": "user",

  "ipaddr": "",

  "name": " ",

  "oid": "",

  "puid": "",

  "pwd_url": "https://portal.microsoftonline.com/ChangePassword.aspx",

  "rh": "",

  "scp": "user_impersonation",

  "sid": "",

  "sub": "",

  "tid": "",

  "unique_name": "@domain.com",

  "uti": "",

  "ver": "1.0",

  "wids": [

    ""

  ],

  "xms_ftd": "",

  "xms_idrel": "1 30"

}

```

## 3. Understanding Key JWT Claims

Below is a brief explanation of some commonly seen claims in Azure Entra ID access tokens:

| JWT Claim                                    | Description                                                                     |

| :------------------------------------------- | :------------------------------------------------------------------------------ |

| `iss`                                        | Issuer — the token authority (usually your Entra ID tenant).                    |

| `iat` / `nbf` / `exp`                        | Issued At / Not Before / Expiry — timestamps defining token validity.           |

| `appid`                                      | Application ID of the client requesting the token.                              |

| `scp`                                        | Scope — delegated permissions granted to the token (e.g. `user_impersonation`). |

| `groups`                                     | List of group object IDs the user belongs to. Used for access control.          |

| `amr`                                        | Authentication Methods References — e.g. `mfa` means multi-factor was used.     |

| `oid`                                        | Object ID of the user in Entra ID.                                              |

| `tid`                                        | Tenant ID — identifies the Azure AD directory.                                  |

| `email`, `name`, `given_name`, `family_name` | User identity attributes.                                                       |

| `xms_ftd`, `xms_idrel`, `rh`, `aio`          | Internal Microsoft claims used for token tracing and session management.        |

| `wids`                                       | Well-known IDs — e.g. directory roles like Global Administrator.                |

> [!TIP]

> You can cross-reference `groups` and `wids` using Microsoft Graph API to resolve them to human-readable names.