diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
index 1169e29cec..481499e74f 100644
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -1,4 +1,5 @@
-using System.Net;
+using System.Diagnostics;
+using System.Net;
 using System.Reflection;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
@@ -510,6 +511,15 @@ public static class ServiceCollectionExtensions
         services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
             .Configure<IHttpMessageHandlerFactory>((options, httpMessageHandlerFactory) =>
             {
+                // Since we don't manually set the Backchannel and the Post stage configuration shouldn't have
+                // ran yet we don't expect this option to be set. If it is set, it was likely set with a
+                // handler already and won't respect the BackchannelHttpHandler we are about to set.
+                Debug.Assert(options.Backchannel is null);
+
+                // Do a few debug checks to make sure we are customizing the expected options configured above.
+                Debug.Assert(!options.TokenValidationParameters.ValidateAudience);
+                Debug.Assert(options.TokenValidationParameters.ValidTypes.Single() == "at+jwt");
+                Debug.Assert(options.TokenValidationParameters.NameClaimType == ClaimTypes.Email);
                 options.BackchannelHttpHandler = httpMessageHandlerFactory.CreateHandler();
             });