No email address provided by windows_aad

Same issue here since this morning. Also trying to understand the issue.

Same issue here, some deeper diving brought up that the userinfo endpoint ( https://graph.microsoft.com) returns a 403 forbidden for some accounts while others receive a 200

The error message returned is

{"odata.error":{"code":"Authentication_Unauthorized","codeForMetrics":"Authentication_Unauthorized","message":{"lang":"en","value":"Access blocked to AAD Graph API for this application. https:\/\/aka.ms\/AzureADGraphMigration."}}}

My client is also experiencing this, and it has become an urgent issue preventing access to the site.

🐛 No e-mail address provided by windows_aad after SSO authorization Needs review is a similar issue. I looks like some configurations are not supported anymore. Could someone post screenshots from the exact Azure configuration? Configured grants, access token/id token claims etc. This would help to reproduce the issue. Thanks!

Thanks @webflo. Unfortunately, I do not have access to the Azure configuration. I will try the patch provided on the related issue.

We are encountering the same issue. I have admin access to both our Drupal and Azure environments. There’s no apparent issue in Azure. Even tried reissuing the key, to no avail.

@mbopp and @ian_swan Could you provide a screenshot from the Drupal configuration? Thanks!

I think the cause of the problem is that the API call \Drupal\openid_connect_windows_aad\Plugin\OpenIDConnectClient\WindowsAad::buildUserinfo fails and this causes the profile data from ID and Access token.

Try to switch to "Alternate or no user endpoint" or "Microsoft Graph API (v1.0)" (make sure the User.Read scope is configured. The following adds the scope automatically on request.

@den tweed Do you founded a solution ? i have the same problem.

We started seeing this error yesterday too. Our configuration is currently using the Azure AD Graph API (v1.6). I did a quick search online about that and it appears that API is being retired by Microsoft. Google’s AI Overview after searching that API returned this:

The Azure AD Graph API (v1.6) is being retired, with its functionality replaced by Microsoft Graph. New applications are already unable to use it, and all applications will lose access on June 30, 2025, unless they have configured extended access. Microsoft recommends migrating to Microsoft Graph.

Microsoft’s blog article about it is here: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/action-req...

I'm going to see if the suggestions from @webflo in #11 work for our use case and will report back.

Confirming that changing the "User info endpoint configuration" option from Azure AD Graph API (v1.6) to Microsoft Graph API (v1.0) fixed the login issue in my use case.

This also resolved our authentication issue!

I was having the same issue, just changing to Microsoft Graph API (v1.0) fixed the issue.

Fixed for us as well. Thank you @pfrilling