SOLVED

Azure AD v2 endpoint

%3CLINGO-SUB%20id%3D%22lingo-sub-58406%22%20slang%3D%22en-US%22%3EAzure%20AD%20v2%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58406%22%20slang%3D%22en-US%22%3E%3CP%3EA%20v2%20endpoint%20to%20AAD%20is%20available%20as%20described%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-v2-limitations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-v2-limitations%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewith%20the%20advantage%20of%20supporting%20both%20MSA%20and%20AAD%20as%20idP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20want%20to%20register%20an%20app%20using%20this%20endpoint%20you%20need%20to%20register%20the%20app%20outside%20Azure%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fapps.dev.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapps.dev.microsoft.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20was%20strange%20to%20me%20was%20that%20for%20the%20v1%2C%20the%20registration%20is%20on%20tenant%20level%2C%20while%20the%20v2%20is%20registered%20on%20a%20(personal)%20account%20level.%26nbsp%3BI%20suppose%20this%20is%20to%26nbsp%3Bsupport%26nbsp%3Bapps%20developed%26nbsp%3Boutside%20a%20particular%20tenant%3F%26nbsp%3BHow%20should%20this%26nbsp%3Bbe%20managed%20exactly%3F%20The%20owner%20of%20the%20account%20used%20to%20register%20the%20app%20can%20leave%20the%20company%2C%20there%20is%20no%20overview%20of%20these%20apps%20on%20our%20tenant%26nbsp%3Bto%20manage%20these%20apps%3F%20Or%20am%20I%20missing%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-58406%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-58926%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20v2%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58926%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20a%20service%20account%20will%20do%20indeed!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%26nbsp%3Bwas%20a%20bit%20confusing%20to%20me%20that%20this%20registration%20of%20v2%20endpoint%20is%20done%20in%20a%20completely%20different%20way%2C%20in%20another%20portal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-58902%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20v2%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58902%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20just%20create%20a%20service%20account%20in%20Azure%20AD%20-%20as%20in%20an%20account%20that's%20called%20what%20it's%20for%20-%20and%20use%20that%20in%20the%20endpoint%20config%3F%20Then%20you%20don't%20need%20to%20worry%20if%20someone%20leaves%2C%20or%20if%20it's%20an%20on%20prem%20account%20synced%20across%2C%20that%20ADFS%20might%20be%20down%20and%20unable%20to%20support%20auth%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
bart vermeersch
Super Contributor

A v2 endpoint to AAD is available as described on https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations

 

with the advantage of supporting both MSA and AAD as idP.

 

When you want to register an app using this endpoint you need to register the app outside Azure on https://apps.dev.microsoft.com/

 

 

What was strange to me was that for the v1, the registration is on tenant level, while the v2 is registered on a (personal) account level. I suppose this is to support apps developed outside a particular tenant? How should this be managed exactly? The owner of the account used to register the app can leave the company, there is no overview of these apps on our tenant to manage these apps? Or am I missing something?

 

Thanks!

 

2 Replies
Solution

Can you just create a service account in Azure AD - as in an account that's called what it's for - and use that in the endpoint config? Then you don't need to worry if someone leaves, or if it's an on prem account synced across, that ADFS might be down and unable to support auth?

Thanks, a service account will do indeed!

 

It was a bit confusing to me that this registration of v2 endpoint is done in a completely different way, in another portal.

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
What is a native non-object synchronised Azure AD instance?
Pn1995 in Azure on
0 Replies
Azure Automation connecting to Exchange with MFA enforced
Chris Johnston in Azure on
13 Replies
Intune Win32 apps error 0x80070002
bjornmertens in Microsoft Intune on
5 Replies
Unable to add the disk in Azure Scale set.
Prashant Sharma in Azure on
8 Replies