Does the session cookie generated using microsoft Azure AD store any personal Identifying information

Raymond Williamson 0 Reputation points
2024-04-09T20:28:56.67+00:00

Hi,

We use Azure AD authentication for MFA and SSO. We would like to know of the session cookie stores any personally identifying information?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,884 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,851 Reputation points Microsoft Employee
    2024-04-11T00:20:51.89+00:00

    @Raymond Williamson ,

    In the documentation for app sign-in flow, the session cookie is described this way:

    A cookie is saved, associated with a Microsoft Entra domain, that contains the identity of the user in the browser's cookie jar. The next time an app uses the browser to navigate to the Microsoft identity platform authorization endpoint, the browser presents the cookie so that the user doesn't have to sign in again. This is also the way that SSO is achieved. The cookie is produced by Microsoft Entra ID and can only be understood by Microsoft Entra ID. The web app then validates the token. If the validation succeeds, the web app displays the protected page and saves a session cookie in the browser's cookie jar. When the user navigates to another page, the web app knows that the user is authenticated based on the session cookie.

    "The cookie is produced by Microsoft Entra ID and can only be understood by Microsoft Entra ID."

    Let me know if this addresses your concerns or if you are looking for any more detail. I've also reached out to the product team to see if they can add more context around these statements.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments No comments

  2. Marilee Turscak-MSFT 36,851 Reputation points Microsoft Employee
    2024-04-11T17:07:59.2966667+00:00

    To add to this, the cookie list for ESTS can be found here:

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-web-browser-cookies

    My understanding is that these cookies follow .NET standards and encrypt data that may contain PII information before issuing it as a cookie. Can you provide more details about why you need this information?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.