Skip to main content

Implementation

Details about the implementation of Entra at Texas A&M University are documented here.

Authentication Payload

Entra ID supports the following authentication protocols:

OpenID Connect

You can follow Microsoft documentation for OIDC integrations, also called "App Registrations" in Entra ID.

These do not require special permissions for basic directory information release (user.givenname, user.surname, user.userprincipalname).

SAML

SAML integrations, also called "Enterprise Applications", require the following information:

  • Entity ID
  • ACS/Reply URL
  • Claims Required (such as eduPersonUniqueId or mail)

Application Permissions

In addition to getting attributes about users on sign-in, some third-party applications may request access to additional data within the Entra tenant using the Microsoft Graph, such as Directory.Read.All.

Sometimes, as is the case with Directory.Read.All, this requires "Admin Consent".

  • If the application requests addtional data about a user using the "Delegated" permission model (meaning the user must authorize the release of this data), then it does not usually require Admin Consent.
  • If the application is using the "Application" permission model, most data requires Admin Consent.
Approval Requests

Approvals for Admin Consent are handled by the Cloud & Platform Security team (cloudsecurity@tamu.edu).

Vendor-Provided Application Installation

Some vendors may have enterprise application "installers" or web interfaces that list a requirement for being run by a Global Administrator, and automate setup by using that role.

It is the policy of Texas A&M University Technology Services' IT Security & Risk team to require vendors to instead explicitly enumerate the permissions they require in our enviroment. This policy is in alignment with control AC-6.