Azure AD OAuth2 Limits

%3CLINGO-SUB%20id%3D%22lingo-sub-207104%22%20slang%3D%22en-US%22%3EAzure%20AD%20OAuth2%20Limits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207104%22%20slang%3D%22en-US%22%3E%3CP%3EThrough%20office%20365%20we%20have%20Azure%20AD%20(basic%2C%20I%20believe).%26nbsp%3B%20I%20understand%20Azure%20AD%20supports%20an%20OAuth%202.0%20flow%20that%20can%20be%20used%20in%20applications%2C%20but%20what%20limitations%20are%20there%20on%20this%20service%3F%26nbsp%3B%20I%20understand%20that%20the%20basic%20tiers%20have%20a%20limit%20of%20%2210%20apps%20per%20user%22%20for%20SSO.%26nbsp%3B%20I%20am%20a%20bit%20confused%20by%20this%20because%20the%20language%20SSO%20is%20only%20used%20to%20refer%20to%20things%20like%20auth%20through%20AD%20FS.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20limit%20to%20how%20many%20applications%20can%20utilize%20the%20OAuth%202.0%20feature%20of%20Azure%20AD%2C%20per%20user%20or%20even%20globally%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-207104%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOAuth%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-209298%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20OAuth2%20Limits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-209298%22%20slang%3D%22en-US%22%3E%3CP%3EIt%E2%80%99s%20not%20some%203rd%20party%20%E2%80%9CSaaS%E2%80%9D%20app.%26nbsp%3B%20It%20actually%20doesn%E2%80%99t%20exist%20yet%2C%20and%20I%20don%E2%80%99t%20fully%20understand%20Microsoft%E2%80%99s%20terminology%20here.%26nbsp%3B%20I%E2%80%99m%20not%20100%25%20sure%20what%20the%20role%20of%20the%20app%20proxy%20is.%26nbsp%3B%20If%20for%20example%2C%20we%20develop%20a%20web%20application%20and%20make%20it%20accessible%20on%20the%20internet%20(but%20only%20to%20authorized%20individuals%2C%20i.e%20through%20azure%20AD%20credentials)%2C%20is%20this%20%E2%80%9Cproxy%E2%80%9D%20component%20even%20needed%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20names%20obviously%20mean%20something%20because%20the%20licensing%20details%20include%20them%2C%20I%20just%20don%E2%80%99t%20know%20the%20difference%20between%20%E2%80%9CSaaS%E2%80%9D%20applications%20from%20a%203rd%20party%2C%20and%20some%20home-grown%20application.%26nbsp%3B%20Are%20all%20%E2%80%9Cserved%E2%80%9D%20applications%20that%20come%20over%20the%20internet%20considered%20SaaS%20now%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-209240%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20OAuth2%20Limits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-209240%22%20slang%3D%22en-US%22%3E%3CP%3EHmm%20this%20must%20have%20changed%2C%20didn't%20realise%20this%20was%20now%20possible%20for%20free%20tier...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22With%20Azure%20AD%20Free%20and%20Azure%20AD%20Basic%2C%20end%20users%20who%20have%20been%20assigned%20access%20to%20SaaS%20apps%2C%20can%20see%20up%20to%2010%20apps%20in%20their%20Access%20panel%20and%20get%20SSO%20access%20to%20them.%20Admins%20can%20configure%20SSO%20and%20assign%20user%20access%20to%20as%20many%20SaaS%20apps%20as%20they%20want%20with%20Free%20and%20Basic%20however%2C%20end%20users%20will%20only%20see%2010%20apps%20in%20their%20Access%20panel%20at%20a%20time.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Eis%20it%20a%20SaaS%20app%20or%20a%20custom%20internal%20app%20published%20via%20the%20Azure%20app%20proxy%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-207920%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20OAuth2%20Limits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207920%22%20slang%3D%22en-US%22%3EAs%20a%20quick%20follow%20up%2C%20if%20what%20you%20say%20is%20true%2C%20what%20does%20this%20page%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Factive-directory%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Factive-directory%2F%3C%2FA%3E%20mean%20when%20it%20says%20%2210%20Apps%20Per%20User%22%20under%20the%20basic%20and%20free%20teir%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-207899%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20OAuth2%20Limits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207899%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20that%20confirms%20the%20the%20worst%20case.%26nbsp%3B%20Thanks%20for%20your%20reply.%26nbsp%3B%20It's%20unfortunate%20that%20so%20much%20of%20the%20platform%20is%20held%20behind%20Azure%20AD%20Premium%20P1%20licenses.%26nbsp%3B%20Obviously%20there%20is%20a%20market%20where%20those%20costs%20make%20sense%2C%20but%20for%20small%20business%20P1%20would%20be%20a%2050%25-80%25%20increase%20in%20total%20licensing%20costs%2C%20and%20generally%20comes%20with%20way%20more%20than%20what%20most%20want%20out%20of%20it.%26nbsp%3B%20Considering%20how%20much%20value%20a%20business%20premium%20license%20gets%20you%20per%20dollar%2C%20P1%20simply%20is%20disproportionate%20when%20considering%20cost%2Fvalue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOh%20well%2C%20guess%20we%20will%20have%20to%20figure%20some%20other%20avenue%20for%20nicely%20integrating%20some%20home-grown%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-207856%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20OAuth2%20Limits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207856%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BFor%203rd%20party%20SaaS%20applications%20you%20require%20Azure%20AD%20Premium%20P1%20licenses%20for%20SSO%20and%20Oauth2%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Myles Gallagher
Contributor

Through office 365 we have Azure AD (basic, I believe).  I understand Azure AD supports an OAuth 2.0 flow that can be used in applications, but what limitations are there on this service?  I understand that the basic tiers have a limit of "10 apps per user" for SSO.  I am a bit confused by this because the language SSO is only used to refer to things like auth through AD FS.  

Is there a limit to how many applications can utilize the OAuth 2.0 feature of Azure AD, per user or even globally?

5 Replies

 For 3rd party SaaS applications you require Azure AD Premium P1 licenses for SSO and Oauth2 

Well that confirms the the worst case.  Thanks for your reply.  It's unfortunate that so much of the platform is held behind Azure AD Premium P1 licenses.  Obviously there is a market where those costs make sense, but for small business P1 would be a 50%-80% increase in total licensing costs, and generally comes with way more than what most want out of it.  Considering how much value a business premium license gets you per dollar, P1 simply is disproportionate when considering cost/value.

 

Oh well, guess we will have to figure some other avenue for nicely integrating some home-grown apps.

As a quick follow up, if what you say is true, what does this page https://azure.microsoft.com/en-us/pricing/details/active-directory/ mean when it says "10 Apps Per User" under the basic and free teir?

Hmm this must have changed, didn't realise this was now possible for free tier...

 

"With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps, can see up to 10 apps in their Access panel and get SSO access to them. Admins can configure SSO and assign user access to as many SaaS apps as they want with Free and Basic however, end users will only see 10 apps in their Access panel at a time."

 

is it a SaaS app or a custom internal app published via the Azure app proxy?

It’s not some 3rd party “SaaS” app.  It actually doesn’t exist yet, and I don’t fully understand Microsoft’s terminology here.  I’m not 100% sure what the role of the app proxy is.  If for example, we develop a web application and make it accessible on the internet (but only to authorized individuals, i.e through azure AD credentials), is this “proxy” component even needed?

The names obviously mean something because the licensing details include them, I just don’t know the difference between “SaaS” applications from a 3rd party, and some home-grown application.  Are all “served” applications that come over the internet considered SaaS now?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies