salesforce Dreamforce On-Demand
Contact Us 1-800-596-4880
  1. Homepage
  2. Access Management
  3. Client Providers

  4. Configure Azure Client Management

Configure Azure Active Directory Client Management

You can use dynamic client registration to configure Azure Active Directory (Azure AD) client management with Anypoint Platform. Using Azure AD as a client provider enables you to authenticate and authorize API consumers with your existing configurations. Azure AD configuration in Anypoint Platform also provides a stateless microservice to convert OAuth 2.0 client application registration requests to requests supported by Azure AD.

Configuration Walkthrough

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Client Providers.

  4. Click Add Client Provider, and then select OpenID Connect DCR for Azure.

    The Add OIDC Azure client provider page appears.

  5. Enter a name and description for your client provider.

  6. Enter the following values from your identity provider’s configuration:

    1. Issuer: URL that the OpenID provider asserts is its trusted issuer.

    2. Tenant ID for Azure AD: The tenant ID from Azure AD. For more information on obtaining your tenant ID, see How to find your Azure Active Directory tenant ID.

    3. Client ID: The client ID for an existing client in your identity provider (IdP) that is capable of creating applications in Azure AD.

    4. Client Secret: The client secret that corresponds to the client ID.

  7. Expand the Advanced Settings section. The following selections are optional:

    1. Disable server certificate validation: Disables server certificate validation if your Azure AD client management instance presents a self-signed certificate, or one signed by an internal certificate authority.

    2. Enable client deletion in Anypoint Platform: Enables the deletion of clients created with this integration.

    3. Enable client deletion and updates in IdP: To use this option, you must also select the Enable client deletion in Anypoint Platform option. This option enables you to update and delete external clients in the configured IdP through an outbound call made by Azure AD to https://graph.microsoft.com/v1.0/applications/{clientId}.

      For an example of the PATCH payload, see the Update application documentation. For an example of the DELETE payload, see the Delete application documentation.

      Client secrets updates are not currently supported.

  8. Click Create.

Microsoft Identity Platform Support

Access Tokens

For your APIs, Azure AD client management in Anypoint Platform supports both v1 and v2 JSON Web Tokens (JWTs) on Microsoft identity platform.

OAuth 2.0 Endpoints

Anypoint Platform supports only tokens obtained using Azure AD v2.0 endpoints, also known as Microsoft identity platform endpoints. For example, Anypoint Platform supports the token endpoint: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token.

Use the following properties when you are using the Authorization Code grant type to obtain a token:

Anypoint Platform does not support custom scopes. Use the default scope for Microsoft Graph.

Grant Types

When creating a new application with Microsoft Azure AD client provider, you can’t specify the supported grant types. Because of this limitation on the Microsoft Azure AD side, Anypoint Platform does not support selecting grant types.

For a list of supported grant types, see the Microsoft identity platform documentation.

Client Secrets

Initial secrets expiration is set to 6 months per Microsoft recommendation.

Limitations

Microsoft National Clouds

Anypoint Platform does not support Azure AD client providers deployed in Microsoft national clouds, such as Azure Government or Azure China 21Vianet.

Token Validation

Although Microsoft Azure AD does not provide an introspection endpoint out of the box, Anypoint Platform has a policy that implements token introspection for token validation when you use Azure AD as a client provider.

To use this policy, follow the documentation on OAuth2.0 Endpoints to generate supported tokens.

Token has been Revoked Error

When you attempt to enforce the OIDC policy by invoking an Anypoint API using a valid token obtained from Azure AD and get a Token has been revoked error, refer to the documentation on OAuth 2.0 endpoints to confirm that you have obtained the token using a supported method. If the token validation still fails, contact Support.

See Also