Troubleshoot brokered identity with Azure AD

Dear friends,

I am currently working on a proof of concept implementation of brokered identity with Keycloak and Microsoft Azure. I am not responsible for Azure and can only request changes there, so the other side is a bit of a blackbox to me.

I have already managed to set it up in general and it works mostly. When I authenticate using Azure and redirected back to Keycloak I am presented with a dialog with some “random string” as username, an empty(!) email and the correct firstname/lastname fields.

BUT I should have an email address too. And it would be really helpful if I could also get the “old” samAccountName for legacy purposes.

Question: Why is the email missing? How can I troubleshoot that? I have set the scopes on my side to “openid, profile, email”, but I suspect that Azure AD doesn’t let me have the email-address.

Is there a way to check what I actually get from Azure? I would like to either prove that they need to change something or tell them: “Hey, please change this setting to …”.

Thanks, Christoph