Contact Us 1-800-596-4880
  1. Homepage
  2. Access Management
  3. Client Management

  4. Configuring Microsoft Entra ID Client Management

Configuring Microsoft Entra ID Client Management

You can use dynamic client registration to configure Microsoft Entra ID (formerly Azure AD), client management with Anypoint Platform. Using Microsoft Entra ID as a client provider enables you to authenticate and authorize API consumers with your existing Microsoft Entra ID configurations. Microsoft Entra ID configuration in Anypoint Platform also provides a stateless microservice to convert OAuth 2.0 client application registration requests to requests supported by Microsoft Entra ID.

Configuration Walkthrough

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Client Providers.

  4. Click Add Client Provider, and then select OpenID Connect DCR for Microsoft Entra ID (Azure AD).

    The Add OIDC Microsoft Entra ID (Azure AD) client provider page appears.

  5. Enter a name and description for your client provider.

  6. Enter the following values from your identity provider’s configuration:

    1. Issuer: URL that the OpenID provider asserts is its trusted issuer.

    2. Tenant ID for Microsoft Entra ID: The tenant ID from Microsoft Entra ID. For more information on obtaining your tenant ID, see How to find your Microsoft Entra tenant ID.

    3. Client ID: The client ID for an existing client in your identity provider (IdP) that is capable of creating applications in Microsoft Entra ID.

    4. Client Secret: The client secret that corresponds to the client ID.

  7. Expand the Advanced Settings section. The following selections are optional:

    1. Disable server certificate validation: Disables server certificate validation if your Microsoft Entra ID client management instance presents a self-signed certificate, or one signed by an internal certificate authority.

    2. Enable client deletion in Anypoint Platform: Enables the deletion of clients created with this integration.

    3. Enable client deletion and updates in IdP: To use this option, you must also select the Enable client deletion in Anypoint Platform option. This option enables you to update and delete external clients in the configured IdP through an outbound call made by Microsoft Entra ID to https://graph.microsoft.com/v1.0/applications/{clientId}.

      For an example of the PATCH payload, see the Update application documentation. For an example of the DELETE payload, see the Delete application documentation.

  8. Click Create.

Microsoft Identity Platform Support

Anypoint Platform provides support for Microsoft Identity Platform access tokens, Microsoft Entra ID v2.0 endpoints, grant types, and client secrets.

Access Tokens

For your APIs, Microsoft Entra ID client management in Anypoint Platform supports both v1 and v2 JSON Web Tokens (JWTs) on Microsoft identity platform.

OAuth 2.0 Endpoints

Anypoint Platform supports only tokens obtained using Microsoft Entra ID v2.0 endpoints, also known as Microsoft identity platform endpoints. For example, Anypoint Platform supports the token endpoint: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token.

Use the following properties when you are using the Authorization Code grant type to obtain a token:

Anypoint Platform does not support custom scopes. Use the default scope for Microsoft Graph.

Grant Types

For a list of supported OAuth 2.0 authorization code grant types, see the Microsoft identity platform documentation.

When creating a new application with Microsoft, you can’t specify the supported OAuth 2.0 authorization code grant types. Because of this limitation on the Microsoft Entra ID side, Anypoint Platform doesn’t support selecting grant types.

Client Secrets

Client secrets (application password) use a string value in the Microsoft Entra application to authenticate instead of a certificate for identity.

Client secrets are set to expire six months from the date of creation per Microsoft’s security recommendations.

You can create new client secrets in Anypoint Platform, but you can’t remove old or expired secrets from your Microsoft account from Anypoint Platform. You must delete old and expired client secrets in your Microsoft account. It’s best practice to remove expired secrets promptly.

Limitations

Microsoft National Clouds

Anypoint Platform does not support Microsoft Azure client providers deployed in Microsoft national clouds, such as Azure Government or Azure China 21Vianet.

Token Validation

Although Microsoft Entra ID doesn’t provide an introspection endpoint out of the box, Anypoint Platform has a policy that implements token introspection for token validation when you use Microsoft Entra ID as a client provider.

To use this policy, follow the documentation on OAuth 2.0 Endpoints to generate supported tokens.

Token has been Revoked Error

When you attempt to enforce the OpenID Connect (OIDC) policy by invoking an Anypoint API using a valid token obtained from Microsoft Entra ID and get a Token has been revoked error, refer to OAuth 2.0 Endpoints to confirm that you obtained the token using a supported method. If the token validation still fails, contact Support.

See Also