I have some exciting news to share. We are announcing the public preview for support of SAML token encryption in Azure Active Directory (Azure AD). Some organizations need encryption to meet internal security standards or compliance requirements. With this feature, you will be able to encrypt the SAML token that Azure AD sends to the application after a successful authentication.
I should note that tokens are always passed between Azure AD, the client browser, and the application they are destined for using encrypted transport links (HTTPS/TLS), so token contents are never on the wire in the clear regardless of whether token encryption is configured or not.
Now that Azure AD support SAML token encryption, you can go ahead and move applications requiring this capability from AD FS to work directly with Azure AD.
To configure an application registration for encryption:
In the Azure portal, while signed in with a role capable of managing applications, go to the Azure Active Directory > Enterprise applications blade, and then select the application that you wish to configure token encryption.
On the application page, select Token encryption.
From there you can upload a public certificate to use with your application. (The certificate you use will depend on your particular application. It may be one you generate and upload on both ends, or one you obtain from the application.)
SAML Token Encryption is a premium (P1/E3) feature. We expect general availability by the of March 2019. See our documentation for configuring an application for SAML token encryption. Let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.