I have a .NET-based microservice which is using Entra ID app registration for authorization. I want to do authorization based on the OAuth2 token generated by the requestor. The requestor can be a human or an application. What is recommended to retrieve from the claims—object ID or app ID? I am aware that users don’t have an app ID. Is it recommended to use object ID for verifying authorization?

If you are building a .NET microservice that uses Entra ID for authorization and you are getting OAuth2 tokens from users or apps
you need to know:
Users have a unique Object ID in their token.
Applications (when acting as a service principal): have both an Object ID and an App ID (Client ID).
Since users don’t have an App ID, and both users and apps have Object IDs, the best and most consistent way to do authorization is to check the Object ID from the token.
So yes, it is recommended to use Object ID for verifying authorization. It uniquely identifies the requester (whether it's a human or an app) and works across the board.

When dealing with authorization in a .NET-based microservice using Entra ID (formerly Azure AD), it's important to understand the differences between the claims available in the OAuth2 token.

For your scenario, where the requestor can be either a human or an application, here are some key points:

1. Object ID: This claim (oid) uniquely identifies the user or service principal within the directory. It is present in both user and application tokens. For users, it represents the user's unique identifier, and for applications, it represents the service principal's unique identifier.

2. App ID: This claim (appid) is specific to applications and represents the client ID of the application that acquired the token. Users do not have an appid claim.

Given that users do not have an appid, it is recommended to use the Object ID (oid) for verifying authorization. This approach ensures consistency, as the oid claim will be present regardless of whether the token was issued to a user or an application.