So the azp claim is the id of the application that requests the token. When using managed identity, azp will be the id of the managed identity. Meaning we are using managed identity (not the client app reg) to get the access token. That’s what you are seeing when using managed identity.

The client app reg is only used while developing locally, as we cannot use managed identity while developing locally.

To see the Orders.Read roles in the claim, can you please go to the managed identity and check it’s permission to make sure that they have been added? It can be seen in the permissions blade of the managed identity’s service principal.