Implementation
Details about the implementation of Entra at Texas A&M University are documented here.
Authentication Payload
Entra ID supports the following authentication protocols:
OpenID Connect
You can follow Microsoft documentation for OIDC integrations, also called "App Registrations" in Entra ID.
These do not require special permissions for basic directory information release (user.givenname
, user.surname
, user.userprincipalname
).
SAML
SAML integrations, also called "Enterprise Applications", require the following information:
- Entity ID
- ACS/Reply URL
- Claims Required (such as
eduPersonUniqueId
ormail
)
Application Permissions
In addition to getting attributes about users on sign-in, some third-party applications may request access to additional data within the Entra tenant using the Microsoft Graph, such as Directory.Read.All
.
Admin Consent
Sometimes, as is the case with Directory.Read.All
, this requires "Admin Consent".
- If the application requests addtional data about a user using the "Delegated" permission model (meaning the user must authorize the release of this data), then it does not usually require Admin Consent.
- If the application is using the "Application" permission model, most data requires Admin Consent.
Approvals for Admin Consent are handled by the Cloud & Platform Security team (cloudsecurity@tamu.edu).