Announcing the public preview for SAML token encryption support

Published Feb 07 2019 09:00 AM 16.3K Views

Howdy folks,

I have some exciting news to share. We are announcing the public preview for support of SAML token encryption in Azure Active Directory (Azure AD). Some organizations need encryption to meet internal security standards or compliance requirements. With this feature, you will be able to encrypt the SAML token that Azure AD sends to the application after a successful authentication.

I should note that tokens are always passed between Azure AD, the client browser, and the application they are destined for using encrypted transport links (HTTPS/TLS), so token contents are never on the wire in the clear regardless of whether token encryption is configured or not.

Now that Azure AD support SAML token encryption, you can go ahead and move applications requiring this capability from AD FS to work directly with Azure AD.

To configure an application registration for encryption:


  1. In the Azure portal, while signed in with a role capable of managing applications, go to the Azure Active Directory > Enterprise applications blade, and then select the application that you wish to configure token encryption.

  2. On the application page, select Token encryption.

    SAML token encryption support 1.png

From there you can upload a public certificate to use with your application. (The certificate you use will depend on your particular application. It may be one you generate and upload on both ends, or one you obtain from the application.)


SAML Token Encryption is a premium (P1/E3) feature. We expect general availability by the of March 2019. See our documentation for configuring an application for SAML token encryption. Let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.


Best regards,


Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

New Contributor



Is this coming to GCC High as well?


@peter horrigan this is planned for GCC High too. We will update this thread when we have a more concrete ETA.

Senior Member

This is great.  We would like to transition to Azure AD from AD FS and this is a big one.  The other big one for us is being able to add private data into the claim from other sources.  It would be awesome if we could call an Azure function that would take generated Azure AD claims and emit additional claims to add to the token and would replace the need for scenarios that require attribute stores.


@Loren Bain we have created a centralized location to get all the tools and guidance to help you with this transition, please visit: If you have any questions or feedback, please reach out to


Regarding the requirement about using external sources, can you create a feature request here: It helps us to prioritize and engage with you with updates





@Loren Bain I'll message you directly about your Azure function scenarios

Occasional Visitor

Interesting. So why would we need SAML Token encryption if the communication between Azure AD, browser, and app are already encrypted? Sorry if I am missing something just do not see the benefit. Seem like double encryption. 

What about the saml request verification certificate implementation in Azure ad?? In adfs this cert is present in signing tab

New Contributor

Hello all!


Is it possible to change algorithm of the token encryption? Or is it dictated solely by certificate I am using


@Teijo Hämäläinen is dictated by the certificate you're using. We don't allow you to change the algorithm for token encryption. You can change the algorithm for the token signing

Version history
Last update:
‎Jul 24 2020 01:44 AM
Updated by: