According to the doc [verify the domain](https://docs.microsoft.com/en-us/outlook/add-ins/validate-an-identity-token?product=outlook#verify-the-domain), the validate function should also verify domain of `amurl` to make sure the JWT is signed by Exchange server. https://github.com/OfficeDev/Outlook-Add-In-Token-Viewer/blob/535ceafdd9ab3e78f03e317a96d261655bff6878/TokenValidationService/Models/ExchangeIdToken.cs#L43
According to the doc verify the domain, the validate function should also verify domain of
amurlto make sure the JWT is signed by Exchange server.Outlook-Add-In-Token-Viewer/TokenValidationService/Models/ExchangeIdToken.cs
Line 43 in 535ceaf