Implementation

Details about the implementation of Entra at Texas A&M University are documented here.

Authentication Payload

Entra ID supports the following authentication protocols:

• OIDC (OpenID Connect)
• SAML (Security Assertion Markup Language)

OpenID Connect

You can follow Microsoft documentation for OIDC integrations, also called "App Registrations" in Entra ID.

These do not require special permissions for basic directory information release (user.givenname, user.surname, user.userprincipalname).

SAML

SAML integrations, also called "Enterprise Applications", require the following information:

• Entity ID
• ACS/Reply URL
• Claims Required (such as eduPersonUniqueId or mail)

Application Permissions

In addition to getting attributes about users on sign-in, some third-party applications may request access to additional data within the Entra tenant using the Microsoft Graph, such as Directory.Read.All.

Admin Consent

Sometimes, as is the case with Directory.Read.All, this requires "Admin Consent".

• If the application requests addtional data about a user using the "Delegated" permission model (meaning the user must authorize the release of this data), then it does not usually require Admin Consent.
• If the application is using the "Application" permission model, most data requires Admin Consent.

Approval Requests

Approvals for Admin Consent are handled by the Cloud & Platform Security team (cloudsecurity@tamu.edu).