![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 43%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,273 questions
I Apologies for the time it took to get the information back. Since its a grey area it took me longer than expected to respond. I appreciate you time and response on this.
Here is the response I got from the feature owners:
We do not support FAL 3 for federated domains that use WS-Fed or SAML to the IdP. With the advent of DPOP(Proof-of-Possession (PoP) tokens - Microsoft Authentication Library for .NET | Microsoft Learn), from a MS 1<sup>st</sup> party app perspective, we will be able to assert that we support FAL 3. Adding SAML apps to Entra ID also at this time would not support FAL 3. OpenID apps added to Entra ID would have to use MSAL libraries in the app to use DPOP.
- All Azure AD tokens are signed and as such are meeting FAL1.
- Azure AD can encrypt SAML/OIDC token and as such would meet FAL2.
- When Token Binding is used (e.g., applications such as EXO, SPO) Azure AD would be able to meet FAL3.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.