Implementation
Details about the implementation of Entra at Texas A&M University are documented here.
Authentication Payload
Entra ID supports the following authentication protocols:
OpenID Connect
You can follow Microsoft documentation for OIDC integrations, also called "App Registrations" in Entra ID.
These do not require special permissions for basic directory information release (user.givenname
, user.surname
, user.userprincipalname
).
SAML
SAML integrations, also called "Enterprise Applications", require the following information:
- Entity ID
- ACS/Reply URL
- Claims Required (such as
eduPersonUniqueId
ormail
)
Application Permissions
In addition to getting attributes about users on sign-in, some third-party applications may request access to additional data within the Entra tenant using the Microsoft Graph, such as Directory.Read.All
.
Admin Consent
Sometimes, as is the case with Directory.Read.All
, this requires "Admin Consent".
- If the application requests addtional data about a user using the "Delegated" permission model (meaning the user must authorize the release of this data), then it does not usually require Admin Consent.
- If the application is using the "Application" permission model, most data requires Admin Consent.
Approvals for Admin Consent are handled by the Cloud & Platform Security team (cloudsecurity@tamu.edu).
Vendor-Provided Application Installation
Some vendors may have enterprise application "installers" or web interfaces that list a requirement for being run by a Global Administrator, and automate setup by using that role.
It is the policy of Texas A&M University Technology Services' IT Security & Risk team to require vendors to instead explicitly enumerate the permissions they require in our enviroment. This policy is in alignment with control AC-6.