Configuring Microsoft Entra ID Client Management
You can use dynamic client registration to configure Microsoft Entra ID (formerly Azure AD), client management with Anypoint Platform. Using Microsoft Entra ID as a client provider enables you to authenticate and authorize API consumers with your existing Microsoft Entra ID configurations. Microsoft Entra ID configuration in Anypoint Platform also provides a stateless microservice to convert OAuth 2.0 client application registration requests to requests supported by Microsoft Entra ID.
Configuration Walkthrough
-
Sign in to Anypoint Platform using an account that has the root Organization Administrator permission.
-
In the navigation bar or the main Anypoint Platform page, click Access Management.
-
In the Access Management navigation menu, click Client Providers.
-
Click Add Client Provider, and then select OpenID Connect DCR for Microsoft Entra ID (Azure AD).
The Add OIDC Microsoft Entra ID (Azure AD) client provider page appears.
-
Enter a name and description for your client provider.
-
Enter the following values from your identity provider’s configuration:
-
Issuer: URL that the OpenID provider asserts is its trusted issuer.
-
Tenant ID for Microsoft Entra ID: The tenant ID from Microsoft Entra ID. For more information on obtaining your tenant ID, see How to find your Microsoft Entra tenant ID.
-
Client ID: The client ID for an existing client in your identity provider (IdP) that is capable of creating applications in Microsoft Entra ID.
-
Client Secret: The client secret that corresponds to the client ID.
-
-
Expand the Advanced Settings section. The following selections are optional:
-
Disable server certificate validation: Disables server certificate validation if your Microsoft Entra ID client management instance presents a self-signed certificate, or one signed by an internal certificate authority.
-
Enable client deletion in Anypoint Platform: Enables the deletion of clients created with this integration.
-
Enable client deletion and updates in IdP: To use this option, you must also select the Enable client deletion in Anypoint Platform option. This option enables you to update and delete external clients in the configured IdP through an outbound call made by Microsoft Entra ID to
https://graph.microsoft.com/v1.0/applications/{clientId}
.For an example of the
PATCH
payload, see the Update application documentation. For an example of theDELETE
payload, see the Delete application documentation.
-
-
Click Create.
Microsoft Identity Platform Support
Anypoint Platform provides support for Microsoft Identity Platform access tokens, Microsoft Entra ID v2.0 endpoints, grant types, and client secrets.
Access Tokens
For your APIs, Microsoft Entra ID client management in Anypoint Platform supports both v1 and v2 JSON Web Tokens (JWTs) on Microsoft identity platform.
OAuth 2.0 Endpoints
Anypoint Platform supports only tokens obtained using Microsoft Entra ID v2.0 endpoints, also known as Microsoft identity platform endpoints. For example, Anypoint Platform supports the token endpoint: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
.
Use the following properties when you are using the Authorization Code grant type to obtain a token:
-
authorize url
:https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
-
token url
:https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
-
client id
: {your client id} -
client secret
: {your client secret}
Anypoint Platform does not support custom scopes. Use the default scope for Microsoft Graph.
Grant Types
For a list of supported OAuth 2.0 authorization code grant types, see the Microsoft identity platform documentation.
When creating a new application with Microsoft, you can’t specify the supported OAuth 2.0 authorization code grant types. Because of this limitation on the Microsoft Entra ID side, Anypoint Platform doesn’t support selecting grant types.
Client Secrets
Client secrets (application password) use a string value in the Microsoft Entra application to authenticate instead of a certificate for identity.
Client secrets are set to expire six months from the date of creation per Microsoft’s security recommendations.
You can create new client secrets in Anypoint Platform, but you can’t remove old or expired secrets from your Microsoft account from Anypoint Platform. You must delete old and expired client secrets in your Microsoft account. It’s best practice to remove expired secrets promptly.
Token Introspection
Although Microsoft Entra ID doesn’t provide an introspection endpoint out of the box, Anypoint Platform has a policy that implements token introspection for you when you configure Microsoft Entra ID as a client provider following the previous flow.
When you create your client provider following the OpenID Connect DCR for Microsoft Entra ID flow, Anypoint Platform populates an introspect URL. You can view the URL using GET /accounts/api/organizations/{orgId}/clientProviders/{clientProviderId}
.
When token introspection happens, Anypoint Platform calls https://graph.microsoft.com/v1.0
with your provided token. As long as the response to such a call isn’t a failure, the token is determined to be valid.
To use this policy, follow the documentation on OAuth 2.0 Endpoints to generate supported tokens.
Token has been Revoked Error
When you attempt to enforce the OpenID Connect (OIDC) policy by invoking an Anypoint API using a valid token obtained from Microsoft Entra ID and get a Token has been revoked
error, refer to OAuth 2.0 Endpoints to confirm that you obtained the token using a supported method. If the token validation still fails, contact Support.