What do each of the Azure App Registration Endpoints do

Tunstall, Clarence R 31 Reputation points
2022-04-18T02:00:05.217+00:00

Under Azure Admin center where you can register apps, there are several Endpoints. I want detail information on each endpoint, why and how it's used and for what purpose. For example, I have an API application that uses MS Graph to Connect to my SharePoint. But I have other apps of other types to develop and in order to design my app I need to know what all of the Endpoints are and how they're use to best make my decisions. Please resist the temptation to design my app for me and simply answer my question or point me to a resource that can.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,408 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
0 comments No comments
{count} vote

Accepted answer
  1. Shweta Mathur 29,756 Reputation points Microsoft Employee
    2022-04-18T11:56:47.113+00:00

    Hi @Tunstall, Clarence R ,

    Thanks for reaching out.

    I understand you are looking for detailed information on each endpoint mentioned on Application Registration page.

    Please find the description of each endpoint:

    1.OAuth 2.0 authorization endpoint (v2)
    https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize

    This is v2 authorization endpoint which is used to identify the user to get authenticated or obtain an authorization code and IdToken from Azure AD which is then later exchanged for an access token. This endpoint usually requires during OAuth 2.0 Authorization code grant flow to get authenticated using Microsoft identity platform endpoint.

    2.OAuth 2.0 token endpoint (v2)
    https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

    The v2 token endpoint is used by the application in order to get an access token or a refresh token. It is used by all flows except for the Implicit Flow because in that case an access token is issued directly. This endpoint performs authentication and authorization in majority of application types, including server-based applications. It enables apps to securely acquire access tokens which can be used to access resources that are secured using the v2.0 endpoint.

    3.OAuth 2.0 authorization endpoint (v1)
    https://login.microsoftonline.com/{tenant-id}/oauth2/authorize

    This is similar to above one except it is used to get authorize code from v1 endpoint.

    4.OAuth 2.0 token endpoint (v1)
    https://login.microsoftonline.com/{tenant-id}/oauth2/token

    This is used to get access token from v1 endpoint.

    As mentioned, the above endpoint works similarly as mentioned above except these are v1 endpoints which authenticate and authorize Azure AD identities by requesting tokens from Azure AD v1.0 endpoint. Major difference between v1 and v2 endpoints are:
    Earlier Microsoft had two very distinct systems for authenticating users; Microsoft Account (or MSA) and Azure Active Directory (or Azure AD). Both served the same purpose but for very different audiences.
    The v2 Endpoint allows applications to authenticate both Microsoft Accounts and Azure AD accounts using a single OAUTH2 endpoint.
    We recommended to use v2 endpoints as v1 is going to be deprecated soon.

    5.OpenID Connect metadata document
    https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration

    Once you will get the access token using token endpoint, token need to verify to validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
    You can obtain public key by calling the public Azure AD OpenID configuration endpoint and verify against the private key generated by Azure AD token.
    For validation, developers can decode JWTs using jwt.ms.

    6.Microsoft Graph API endpoint
    https://graph.microsoft.com

    You can make requests to Microsoft Graph API using access token obtained using Microsoft identity platform token endpoint. Microsoft Graph endpoint enables you to read and write based on the scopes in the access token to access Microsoft Cloud service resources.

    7.Federation metadata document
    https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml

    Azure AD publishes federation metadata at this endpoint. This is tenant-specific federation metadata includes information about the tenant, including tenant-specific issuer and endpoint information. You can view the federation metadata document by typing this URL in a browser for your tenant.

    8.WS-Federation sign-on endpoint
    https://login.microsoftonline.com/{tenant-id}/wsfed

    This endpoint is used of single sign-in and single sign-out in WS-Federation protocol. The federation metadata includes the URL that Azure AD uses for WS-Federation in PassiveRequestorEndpoint element.

    9.SAML-P sign-on endpoint and SAML-P sign-out endpoint
    https://login.microsoftonline.com/{tenant-id}/saml2

    This endpoint is used of single sign-in and single sign-out in SAML 2.0 protocol. The federation metadata includes the URL that Azure AD uses for WS-Federation in PassiveRequestorEndpoint element.

    Hope this will help. If you have any other query regarding these endpoints, please let us know.

    Thanks,
    Shweta

    ------------------------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful