Azure AD discouraged configurations

James 21 Reputation points
2020-12-31T09:14:00.977+00:00

Hi,

I am setting up my own app and saw there are some discouraged configurations in integration assistant, including

  1. Do not configure a credential (certificate/secret).
  2. If you are using the authorization code flow, disable the implicit grant settings; and
  3. Do not configure an Application ID URI

May I know why are they discouraged or where can I find relevant documents? Also I would like to know what will happen if I disable all of them.

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,070 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2020-12-31T19:36:45.307+00:00

    Hello, adding on @mirba-msft answer please take into consideration the following:

    1. You can use a client certificate which is more secure than a secret since you can remove the private key, protect it with a password or disable its exportation.
    2. Besides the risk of third party cookies being blocked, implicit flow is not as secure as authorization flow with PKCE which is currently supported by the latest MSAL for .NET and Javascript libraries.
    3. Application ID URI is only required when you are exposing your own scopes (as an API). Also it will be set when configuring SAML SSO (as enterprise application).

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. mirba-msft 651 Reputation points Microsoft Employee
    2020-12-31T14:23:21.577+00:00

    Hello @James

    Thank you for reaching out to us.

    In regards to you your concern please find below answers to it.

    If you are using the authorization code flow, disable the implicit grant settings

    With the plans for third party cookies to be removed from browsers, the implicit grant flow is no longer a suitable authentication method. The silent SSO features of the implicit flow do not work without third party cookies, causing applications to break when they attempt to get a new token. We strongly recommend that all new applications use the authorization code flow that now supports single page apps in place of the implicit flow, and that existing single page apps begin migrating to the authorization code flow as well.

    Please look into this article for more information.

    For the following question below We are reviewing the query and checking the details at our end. Please allow us some time to check the details and we shall get back to you with some concrete update ASAP.

    Do not configure a credential (certificate/secret).

    Do not configure an Application ID URI

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.