Skip to main content

Architecture

Parts of the Entra ID architecture are documented here for ease of use.

Authentication Flow

Entra uses two abstractions for authentication and authorization: the App Registration and the Enterprise Application.

The primary difference in use case for authentication is that OIDC configuration is handled in App Registrations and SAML configuration is handled within Enterprise Applications.

tip

Both an App Registration and Enterprise Application are created for you when you create any new app using apps.identity.tamu.edu.

entraflow

About Authorization In Entra

Authorization can be handled in a number of ways, but most authorization configuration is handled in the Enterprise Application abstraction. Custom claims can be configured there (both for OIDC and SAML), and group-based access to your app is controlled in the Enterprise Application regardless of whether you have chosen OIDC or SAML as the authentication protocol.

Attribute Matrix

Attributes in Entra are named according to an internal Microsoft schema. We've provided an attribute matrix to map Entra attrbutes to their upstream source attribute.

Entra ID AttributeSource Attribute
user.givennamegivenName
user.surnamelastName
user.displaynamedisplayName
user.departmenttamuEduPersonDepartmentName
user.employeeidtamuEduPersonUIN
user.onpremisessamaccountnametamuEduPersonNetID
user.userprincipalnameeduPersonPrincipalName