Enhanced Client or Proxy Profile Version 2.0, can Azure AD be used as the IdP?

Paul B Hill pbh at mit.edu
Tue Apr 26 15:29:34 UTC 2022

Thank you to Scott and the list. The list provided an accurate response faster than I was able to obtain a response from Microsoft.

Today I received a confirmation from Microsoft that they do not currently support the Enhanced Client or Proxy Profile Version 2.0 when Azure AD is used as the IdP. I was referred to using OIDC for the use case in question. 


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott via users
Sent: Tuesday, April 19, 2022 12:45 PM
To: Wessel, Keith <kwessel at illinois.edu>; Shib Users <users at shibboleth.net>
Cc: cantor.2 at osu.edu
Subject: Re: Enhanced Client or Proxy Profile Version 2.0, can Azure AD be used as the IdP?

On 4/19/22, 12:40 PM, "Wessel, Keith" <kwessel at illinois.edu> wrote:

>    Amazingly, Okta claims they do. Can't say if it actually works.

Having no evidence I will refrain from expressing an opinion. When I call out a vendor, it's factual.

>    I, too, would be very surprised if Azure AD supported ECP, though. 
> They've mostly adopted OIDC and "sign into work or school" flows for getting the credentials in place to support non-browser interactions.

When you have a browser to hand, I would say web -> nonweb cookie is clearly the best approach at this point.

For other use cases, I would imagine that getting the resource owner password grant implemented  would be a good idea. I considered it while I was working on the client credentials grant but it's quite a bit different in a number of ways with regard to how we'd implement it. 

-- Scott

For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list