AD FS publishes two different issuer values in the public https://<domain>/adfs/.well-known/openid-configuration : One is called 'issuer' the other is 'access_token_issuer' - the access_token_issuer is optional in the standard. The value that is issued in the access token iss claim is always the 'access_token_issuer' some clients (.Net ones) validate the access token against the 'access_token_issuer' others (using open source libraries) will only validate against the 'issuer'
It would be great if I could select per relying party which value is returned in the access token iss claim.