question

TunstallClarenceR-2381 avatar image
1 Vote"
TunstallClarenceR-2381 asked SnehaAgrawal-MSFT edited

What do each of the Azure App Registration Endpoints do

Under Azure Admin center where you can register apps, there are several Endpoints. I want detail information on each endpoint, why and how it's used and for what purpose. For example, I have an API application that uses MS Graph to Connect to my SharePoint. But I have other apps of other types to develop and in order to design my app I need to know what all of the Endpoints are and how they're use to best make my decisions. Please resist the temptation to design my app for me and simply answer my question or point me to a resource that can.

azure-active-directoryazure-webapps
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ShwetaMathur avatar image
1 Vote"
ShwetaMathur answered ShwetaMathur edited

Hi @TunstallClarenceR-2381,

Thanks for reaching out.

I understand you are looking for detailed information on each endpoint mentioned on Application Registration page.

Please find the description of each endpoint:

1.OAuth 2.0 authorization endpoint (v2)
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize

This is v2 authorization endpoint which is used to identify the user to get authenticated or obtain an authorization code and IdToken from Azure AD which is then later exchanged for an access token. This endpoint usually requires during OAuth 2.0 Authorization code grant flow to get authenticated using Microsoft identity platform endpoint.

2.OAuth 2.0 token endpoint (v2)
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

The v2 token endpoint is used by the application in order to get an access token or a refresh token. It is used by all flows except for the Implicit Flow because in that case an access token is issued directly. This endpoint performs authentication and authorization in majority of application types, including server-based applications. It enables apps to securely acquire access tokens which can be used to access resources that are secured using the v2.0 endpoint.

3.OAuth 2.0 authorization endpoint (v1)
https://login.microsoftonline.com/{tenant-id}/oauth2/authorize

This is similar to above one except it is used to get authorize code from v1 endpoint.

4.OAuth 2.0 token endpoint (v1)
https://login.microsoftonline.com/{tenant-id}/oauth2/token

This is used to get access token from v1 endpoint.

As mentioned, the above endpoint works similarly as mentioned above except these are v1 endpoints which authenticate and authorize Azure AD identities by requesting tokens from Azure AD v1.0 endpoint. Major difference between v1 and v2 endpoints are:
Earlier Microsoft had two very distinct systems for authenticating users; Microsoft Account (or MSA) and Azure Active Directory (or Azure AD). Both served the same purpose but for very different audiences.
The v2 Endpoint allows applications to authenticate both Microsoft Accounts and Azure AD accounts using a single OAUTH2 endpoint.
We recommended to use v2 endpoints as v1 is going to be deprecated soon.

5.OpenID Connect metadata document
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration

Once you will get the access token using token endpoint, token need to verify to validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
You can obtain public key by calling the public Azure AD OpenID configuration endpoint and verify against the private key generated by Azure AD token.
For validation, developers can decode JWTs using jwt.ms.

6.Microsoft Graph API endpoint
https://graph.microsoft.com

You can make requests to Microsoft Graph API using access token obtained using Microsoft identity platform token endpoint. Microsoft Graph endpoint enables you to read and write based on the scopes in the access token to access Microsoft Cloud service resources.

7.Federation metadata document
https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml

Azure AD publishes federation metadata at this endpoint. This is tenant-specific federation metadata includes information about the tenant, including tenant-specific issuer and endpoint information. You can view the federation metadata document by typing this URL in a browser for your tenant.

8.WS-Federation sign-on endpoint
https://login.microsoftonline.com/{tenant-id}/wsfed

This endpoint is used of single sign-in and single sign-out in WS-Federation protocol. The federation metadata includes the URL that Azure AD uses for WS-Federation in PassiveRequestorEndpoint element.

9.SAML-P sign-on endpoint and SAML-P sign-out endpoint
https://login.microsoftonline.com/{tenant-id}/saml2

This endpoint is used of single sign-in and single sign-out in SAML 2.0 protocol. The federation metadata includes the URL that Azure AD uses for WS-Federation in PassiveRequestorEndpoint element.


Hope this will help. If you have any other query regarding these endpoints, please let us know.

Thanks,
Shweta

Please remember to "Accept Answer" if answer helped you.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.