You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/configure-authentication-provider-aad.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -80,6 +80,8 @@ To use an existing registration, select either:
80
80
81
81
You can also configure the application to [use an identity instead of a client secret][fic-config]. Support for using an identity is currently in preview.
82
82
-**Issuer URL**. This URL takes the form `<authentication-endpoint>/<tenant-id>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint [value that's specific to the cloud environment](/entra/identity-platform/authentication-national-cloud#azure-ad-authentication-endpoints). For example, a workforce tenant in global Azure would use `https://login.microsoftonline.com` as its authentication endpoint.
83
+
84
+
You can find this value in the Microsoft Entra admin center. Go to **App registrations**, select your app, and then select **Endpoints**. Copy the **OpenID Connect metadata document** endpoint for your tenant, and then remove `/.well-known/openid-configuration` from the end of the URL. For example, if the metadata endpoint is `https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration`, use `https://login.microsoftonline.com/<tenant-id>/v2.0` as the issuer URL.
83
85
84
86
> [!NOTE]
85
87
> If you created your identity provider using the express setup (Option 1), the issuer URL is automatically set to use the legacy `https://sts.windows.net` endpoint. To align with current Microsoft Entra ID best practices, edit your identity provider and update the issuer URL to use `https://login.microsoftonline.com/<tenant-id>/v2.0` instead.
@@ -169,7 +171,7 @@ To use an existing registration, select **Provide the details of an existing app
169
171
170
172
-**Application (client) ID**
171
173
-**Client secret**
172
-
-**Issuer URL**
174
+
-**Issuer URL**. In the Microsoft Entra admin center, go to **App registrations**, select your app, and then select **Endpoints**. Copy the **OpenID Connect metadata document** endpoint for your tenant, and then remove `/.well-known/openid-configuration` from the end of the URL. For example, if the metadata endpoint is `https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration`, use `https://login.microsoftonline.com/<tenant-id>/v2.0` as the issuer URL.
173
175
174
176
If you need to manually create an app registration in an external tenant, see [Register an app in your external tenant](/entra/external-id/customers/how-to-register-ciam-app?tabs=webapp#register-your-web-app).
175
177
@@ -219,6 +221,8 @@ For **Tenant requirement**, choose whether to:
219
221
- Allow requests from specific tenants.
220
222
- Use default restrictions based on the app registration's tenant.
221
223
224
+
For **Allowed token audiences**, add any audience values that your app should accept in the `aud` claim of incoming access tokens. You commonly need this setting when clients request tokens by using the app registration's **Application ID URI**, such as `api://<application-client-id>` or a custom URI like `https://contoso.com/api`. The app registration's client ID is already accepted by default, so you typically add values here only if your app accepts another audience format.
225
+
222
226
Your app might still need to make other authorization decisions in code. For more information, see [Use a built-in authorization policy](#use-a-built-in-authorization-policy) later in this article.
0 commit comments