Invalid_token error while exchanging microsoft azure token to a set of keycloak tokens

I’m working on an internal application, which uses keycloak for user auth.
I have run into problems while getting the exchange token from keycloak

In the keycloak dashboard I’ve set up azure as identity provider, with a token-exchange policy for my-app client within my-realm.

At this point after signin in the app I can get a JWT access_token from Azure with User.Read permission

I am then asking keycloak to exchange it for its own tokens within the realm, so that the app can go back to a “normal” auth flow:

curl --location --request POST ‘http://localhost:8080/auth/realms/openapi/protocol/openid-connect/token’ \

–header ‘Content-Type: application/x-www-form-urlencoded’ \

–data-urlencode ‘client_id=my-app’ \

–data-urlencode ‘client_secret={secret from client}’ \

–data-urlencode ‘grant_type=urn:ietf:params:oauth:grant-type:token-exchange’ \

–data-urlencode ‘subject_token= {Access token}’ \

–data-urlencode ‘subject_issuer=microsoft’ \

–data-urlencode ‘requested_token_type=urn:ietf:params:oauth:token-type:access_token’ \

–data-urlencode ‘subject_token_type=urn:ietf:params:oauth:token-type:access_token’

but I get this below error
15:29:05,144 WARN [org.keycloak.events] (default task-1) type=TOKEN_EXCHANGE_ERROR, realmId=ae36dfed-f6be-46e0-a29d-d38b8798da48, clientId=cytricapi, userId=null, ipAddress=127.0.0.1, error=invalid_token, reason=‘user info service disabled’, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=azureAd, validation_method=‘user info’, client_auth_method=client-secret

Please help with the same

were you able to find out solution for this?

I have the same issue, and I’m keen to know about the solution.
It is working with Google by following the steps described in Keycloak token exchange usage with Google Sign-In | by Sourin Ghosh | Medium
but not able to have it work with AAD
Will be grateful for any advise. thanks