We are using Entra External ID for customers for an upcoming service and today the issuer ("iss") claim had changed, causing validate-azure-ad-token in our API Management to fail, returning an "Issuer is not valid" message and 401.
The format used to be ({tenantId} is a GUID):
"iss": "https://login.microsoftonline.com/{tenantId}/v2.0",
but now it is
"iss": "https://{tenantId}.ciamlogin.com/{tenantId}/v2.0",
I tried changing the tenant-id property of validate-azure-ad-token policy from "{tenantId}" (again, this is a GUID) to "{tenantId}.ciamlogin.com", but it did not work, as it was longer than 36 characters (there is no such limitation mentioned in the docs: https://learn.microsoft.com/en-us/azure/api-management/validate-azure-ad-token-policy#policy-statement). Changing tenant-id to "mytenant.ciamlogin.com" did not help either.
Is there anything else I can try, or is this an issue that needs to be fixed in either APIM or Entra?