diff --git a/backend/app/middleware/auth.py b/backend/app/middleware/auth.py
index 583acb6..1eb29e0 100644
--- a/backend/app/middleware/auth.py
+++ b/backend/app/middleware/auth.py
@@ -68,7 +68,11 @@ async def get_current_user(
         return {
             "oid": payload.get("oid"),
             "name": payload.get("name"),
-            "email": payload.get("preferred_username") or payload.get("email"),
+            "email": (
+                payload.get("preferred_username")
+                or payload.get("upn")
+                or payload.get("email")
+            ),
         }
     except JWTError as e:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=f"Invalid token: {e}")
diff --git a/frontend/src/api/client.ts b/frontend/src/api/client.ts
index 90f8eda..5e8f02f 100644
--- a/frontend/src/api/client.ts
+++ b/frontend/src/api/client.ts
@@ -13,10 +13,11 @@ api.interceptors.request.use(async (config) => {
 
   try {
     const result = await msalInstance.acquireTokenSilent({
-      ...loginRequest,
+      scopes: ['openid', 'profile', 'email'],
       account: accounts[0],
     });
-    config.headers.Authorization = `Bearer ${result.accessToken}`;
+    // ID token has audience=CLIENT_ID so the backend can validate it
+    config.headers.Authorization = `Bearer ${result.idToken}`;
   } catch {
     // Token expired or failed — trigger interactive login
     await msalInstance.loginRedirect(loginRequest);