"A unique identifier was not provided for the user" when new user from AAD

simon.roberts

Can use the AAD config per instructions at https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad

However, when create_registration is turned on, I can't create a new FA user. I get error "A unique identifier was not provided for the user. This account cannot be used to login, unable to complete this login request."

From the event log

2/23/2023 07:48:05 AM Z Build a new user object from the returned Userinfo response:
{
  "sub" : "3XXJmjO2q9DQCmGWV8-dyv_EzpOT-m_IAc3NX5nuYXA",
  "name" : "Simon Roberts",
  "family_name" : "Roberts",
  "given_name" : "Simon",
  "picture" : "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email" : "simon.roberts@mycompany.com"
}
2/23/2023 07:48:05 AM Z Linking strategy [LinkByEmail]
2/23/2023 07:48:05 AM Z Resolved email to [smycompany.com]
2/23/2023 07:48:05 AM Z Resolved username to [null]
2/23/2023 07:48:05 AM Z Resolved unique Id to [null]
2/23/2023 07:48:05 AM Z A unique Id was not provided b

How do I get the unique ID? If I open the bearer token in jwt.io I can see my AAD OID in there

  "name": "Simon Roberts",
  "oid": "fa87b189-7080-4050-aa1b-e77e113e6799",

my scope is "openid"

What am I missing?

dan

@simon-roberts You can specify the unique UUID on the identity provider configuration. If you are using the admin ui, navigate to the identity provider, then to the Options tab at the bottom, then to the Unique Id claim field.

If the oid claim is a valid UUID and unique and immutable, you can specify that.

nazi.far.hadi3171

Facing same issue but no response from anyone and could not find this topic troubleshooting in google.