Hear from Salesforce leaders on how to create and deploy Agentforce agents.
Register now
Contact Us 1-800-596-4880
  1. Homepage
  2. Access Management
  3. Client Management

  4. Configuring Microsoft Entra ID Client Management

Configuring Microsoft Entra ID Client Management

Use Microsoft Entra ID (formerly Azure AD) as a client provider to authenticate and authorize API consumers with your existing Microsoft Entra ID configurations. Use dynamic client registration to configure Microsoft Entra ID client management with Anypoint Platform. Microsoft Entra ID configuration in Anypoint Platform also provides a stateless microservice to convert OAuth 2.0 client application registration requests to requests supported by Microsoft Entra ID.

You can’t configure Microsoft Entra ID (formerly Azure AD) as a client provider in MuleSoft Government Cloud.

Configuration Walkthrough

  1. Sign in to Anypoint Platform using an account that has the root Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Client Providers.

  4. Click Add Client Provider, and then select OpenID Connect DCR for Microsoft Entra ID (Azure AD).

    The Add OIDC Microsoft Entra ID (Azure AD) client provider page appears.

  5. Enter a name and description for your client provider.

  6. Enter the following values from your identity provider’s configuration:

    1. Issuer: URL that the OpenID provider asserts is its trusted issuer.

    2. Tenant ID for Microsoft Entra ID: The tenant ID from Microsoft Entra ID. For more information on obtaining your tenant ID, see How to find your Microsoft Entra tenant IDLeaving the Site.

    3. Client ID: The client ID for an existing client in your identity provider (IdP) that is capable of creating applications in Microsoft Entra ID.

    4. Client Secret: The client secret that corresponds to the client ID.

  7. Expand the Advanced Settings section. The following selections are optional:

    1. Disable server certificate validation: Disables server certificate validation if your Microsoft Entra ID client management instance presents a self-signed certificate, or one signed by an internal certificate authority.

    2. Enable client deletion in Anypoint Platform: Enables the deletion of clients created with this integration.

    3. Enable client deletion and updates in IdP: To use this option, you must also select the Enable client deletion in Anypoint Platform option. This option enables you to update and delete external clients in the configured IdP through an outbound call made by Microsoft Entra ID to https://graph.microsoft.com/v1.0/applications/{clientId}Leaving the Site.

      For an example of the PATCH payload, see the Update applicationLeaving the Site documentation. For an example of the DELETE payload, see the Delete applicationLeaving the Site documentation.

  8. Click Create.

Microsoft Identity Platform Support

Anypoint Platform provides support for Microsoft Identity Platform access tokens, Microsoft Entra ID v2.0 endpoints, grant types, and client secrets.

Access Tokens

For your APIs, Microsoft Entra ID client management in Anypoint Platform supports both v1 and v2 JSON Web TokensLeaving the Site (JWTs) on Microsoft identity platform.

OAuth 2.0 Endpoints

Anypoint Platform supports only tokens obtained using Microsoft Entra ID v2.0 endpoints, also known as Microsoft identity platform endpoints. For example, Anypoint Platform supports the token endpoint: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/tokenLeaving the Site.

Use the following properties when you are using the Authorization Code grant type to obtain a token:

Anypoint Platform does not support custom scopes. Use the default scope for Microsoft Graph.

Grant Types

For a list of supported OAuth 2.0 authorization code grant types, see the Microsoft identity platform documentationLeaving the Site.

When creating a new application with MicrosoftLeaving the Site, you can’t specify the supported OAuth 2.0 authorization code grant types. Because of this limitation on the Microsoft Entra ID side, Anypoint Platform doesn’t support selecting grant types.

Client Secrets

Client secrets (application password) use a string value in the Microsoft Entra application for authentication instead of a certificate for identity.

Client secrets are set to expire six months from the date of creation per Microsoft’s security recommendations and the expiration date can’t be reset.

You can create new client secrets in Anypoint Platform, but you must delete old or expired client secrets directly in your Microsoft account portal. It’s best practice to remove expired secrets promptly.

Limitations

Microsoft National Clouds

Anypoint Platform doesn’t support Microsoft Azure client providers deployed in Microsoft national clouds, such as Azure Government or Azure China 21Vianet.

Token Introspection

Microsoft Entra ID doesn’t provide an introspection endpoint out of the box, but Anypoint Platform has a policy that implements token introspection for you when you configure Microsoft Entra ID as a client provider following the previous flow.

When you create your client provider following the OpenID Connect DCR for Microsoft Entra ID flow, Anypoint Platform populates an introspect URL. You can view the URL using GET /accounts/api/organizations/{orgId}/clientProviders/{clientProviderId}.

During token introspection, Anypoint Platform calls https://graph.microsoft.com/v1.0Leaving the Site with your provided token. As long as the response to such a call isn’t a failure, the token is determined to be valid.

Use the token enforcement policy implementation version 1.7 and later so that during token introspection, Anypoint Platform calls https://graph.microsoft.com/v1.0Leaving the Site directly, bypassing the internal Anypoint Platform component.

To use this policy, follow the documentation on OAuth 2.0 Endpoints to generate supported tokens.

Token has been Revoked Error

When you attempt to enforce the OpenID Connect (OIDC) policy by invoking an Anypoint API using a valid token obtained from Microsoft Entra ID and get a Token has been revoked error, refer to OAuth 2.0 Endpoints to confirm that you obtained the token using a supported method. If the token validation still fails, contact Support.

See Also