Microsoft Entra ID (Azure AD). Pins the v2.0 issuer
https://login.microsoftonline.com/{tenant}/v2.0 and the matching JWKS
(/discovery/v2.0/keys). audience is the API's App ID URI or client id.
tenant must be a concrete tenant GUID or a registered domain name.
The pseudo-tenants "common", "organizations", and "consumers" are
rejected because Entra ID never stamps them in the iss claim of a real
token — every token would fail the issuer check at runtime. For multi-tenant
validation without a pinned issuer, use jwtResourceServer with an empty
issuer and rely on audience binding alone.
Microsoft Entra ID (Azure AD). Pins the v2.0 issuer https://login.microsoftonline.com/{tenant}/v2.0 and the matching JWKS (/discovery/v2.0/keys). audience is the API's App ID URI or client id.
tenant must be a concrete tenant GUID or a registered domain name. The pseudo-tenants "common", "organizations", and "consumers" are rejected because Entra ID never stamps them in the iss claim of a real token — every token would fail the issuer check at runtime. For multi-tenant validation without a pinned issuer, use jwtResourceServer with an empty issuer and rely on audience binding alone.