Getting original token issuer

We are currently looking at migrating to Auth0 coming from a direct integration with Azure AD.

For our application, we support SSO using an Azure AD multitenant app registration. We’ve implemented this in Auth0 as a custom social connection.

Previously, we validated access to our API by checking that the token issuer is one of the whitelisted AD tenants we support. When SSO is federated through Auth0, the token issuer is always Auth0 (which makes sense).

So far the best solution I have come up with is enforcing an email domain whitelist instead. This is OK, but I would prefer to check the issuer as some enterprise clients may have several email domains on the same AD tenant.

Is there a way to capture the original token issuer and include that on the Auth0-issued ID token?