# IdP Access Token Allowed Audiences

## Summary

**IdP Access Token Allowed Audiences** controls how the audience claim of an incoming IdP-issued access token is validated.

For [Microsoft Entra](https://www.pomerium.com/docs/integrations/user-identity/azure.md) an access-token is a JWT with an audience claim. When the IdP Access Token Allowed Audiences option is set, the `aud` claim of the access token JWT must match one of the entries.

This option can also be configured at the route-level.

## How to Configure

**Core:**

| **Config file keys** | **Environment variables** | **Type** |
| :-- | :-- | :-- |
| `idp_access_token_allowed_audiences` | `IDP_ACCESS_TOKEN_ALLOWED_AUDIENCES` | Array of strings |

### Examples

```yaml
idp_access_token_allowed_audiences:
  - https://sts.windows.net/f42bce3b-671c-4162-b24c-00ecc7641897/
  - https://login.microsoftonline.com/f42bce3b-671c-4162-b24c-00ecc7641897/
```

**Enterprise:**

Set **IdP Access Token Allowed Audiences** under **Authenticate** settings in the Console:

\[Set IdP Access Token Allowed Audiences in the Console]

**Kubernetes:**

```yaml
idpAccessTokenAllowedAudiences:
  - https://sts.windows.net/f42bce3b-671c-4162-b24c-00ecc7641897/
  - https://login.microsoftonline.com/f42bce3b-671c-4162-b24c-00ecc7641897/
```

See [Kubernetes - Global Configuration](https://www.pomerium.com/docs/deploy/k8s/configure.md) for more information.
