I'm a developer migrating an application from IdentityServer4 to Entra ID. I successfully setup an app registration for the app's frontend and backend in my organization's Entra ID tenant (domain: relativityx.com). I'm able to sign-in to the app using my relativityx.com credentials, and the email claim, which I configured to be sent in the id_token, is present.
I then updated the application to allow sign-ins from other tenants, following the Entra ID documentation. Using my admin account, I was able to successfully consent to the application in my personal Entra ID tenant (domain: mdcarr941live.onmicrosoft.com), and I found that service principal's for the frontend and backend were successfully created in my tenant (i.e. visible under "Enterprise applications"). However, I found that the email claim was not being sent to the application in the id_token.
As a troubleshooting step, I used the MS Graph API to verify that the JSON representation of the service principals from the two tenants are identical, except for their object IDs and creation times.
Why might the email claim not be included in the id_token when signing in from the other tenant?
The issue was caused by the fact that my user account in my personal Entra ID tenant did not have an email address configured. I hadn't run into this in my organization's tenant because it has an exchange online license, so an email address was added to my user on creation.
It makes sense now, but it was definitely a sharp edge to get caught on. After all, the every user account signs in with what is, syntactically, an email address, but there is actually a separate email field which needs to be populated.