OAuth 2.0 and OpenID Connect (OIDC) are the foundational protocols for modern authentication and authorization in cloud environments, including Microsoft Entra ID (formerly Azure AD). For the SC-900 exam, you must understand the difference between authentication (who you are) and authorization (what you can do), and how these protocols enable secure delegated access. Approximately 15-20% of SC-900 exam questions touch on identity protocols, with OAuth 2.0 and OIDC being the most heavily tested. This chapter provides the deep technical understanding required to answer scenario-based questions correctly.
Jump to a section
Imagine you are a guest at a large hotel (the resource server). You want to access the gym (a protected resource). You do not go directly to the gym with your room key. Instead, you first go to the front desk (the authorization server). You present your room key (your credentials) and ask for a separate gym pass. The front desk checks your room key, verifies you are a guest, and issues a time-limited gym pass (an access token). The gym pass contains a barcode that encodes your access level and expiry time. You then take this pass to the gym, where a scanner (the resource server) reads the barcode but does not know who you are—only that the pass is valid. The gym pass has a limited validity (e.g., 2 hours). If you try to use the pass after it expires, the scanner rejects it and tells you to get a new one from the front desk. This is exactly how OAuth 2.0 works: the client never sees your credentials, only a token scoped to a specific resource. OpenID Connect adds an ID card (ID token) that the front desk issues along with the gym pass—this card contains your name and room number, so the gym can know who you are, not just that you are allowed in.
1. What They Are and Why They Exist
OAuth 2.0 (RFC 6749) is an authorization framework that enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner. It does this by issuing an access token to the client application, which the client presents to the resource server to access protected resources. OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 (specifically OIDC Core 1.0). It adds an ID token—a JSON Web Token (JWT) that contains claims about the authenticated user's identity.
Before OAuth 2.0, applications often required users to share their passwords directly with third-party apps (the "password anti-pattern"). This was insecure because the app gained full access to the user's account. OAuth 2.0 solves this by allowing the user to grant a scoped, revocable token without sharing credentials. OIDC solves the problem of verifying identity: OAuth 2.0 alone does not provide a standardized way to know who the user is—only that they have authorized access.
2. How They Work Internally
The OAuth 2.0 flow involves four main roles: - Resource Owner: The user who owns the data. - Client: The application requesting access. - Authorization Server (AS): The server that issues tokens after authenticating the resource owner and obtaining authorization (in Entra ID, this is the Microsoft identity platform endpoint). - Resource Server (RS): The server hosting the protected resources (e.g., Microsoft Graph API).
The standard flow (Authorization Code Grant) proceeds as follows:
1. The client redirects the user to the authorization server with a request that includes: client_id, redirect_uri, response_type=code, and scope.
2. The authorization server authenticates the user (e.g., via username/password, MFA) and asks for consent to the requested scopes.
3. Upon consent, the authorization server redirects the user back to the client with an authorization code in the query string.
4. The client sends a POST request to the token endpoint with the authorization code, client credentials, and redirect_uri. The server returns an access token (and optionally a refresh token).
5. The client uses the access token to call the resource server.
OpenID Connect extends this by requesting the openid scope. When the client includes scope=openid, the authorization server returns an ID token alongside the access token. The ID token is a JWT that contains claims such as sub (subject identifier), iss (issuer), aud (audience), exp (expiration), and iat (issued at). The client must validate the ID token by checking the signature (using the public keys from the JWKS endpoint) and the claims.
3. Key Components, Values, Defaults, and Timers
Access Token: A JWT (or opaque string) with a default lifetime of 1 hour in Microsoft Entra ID. Can be configured between 10 minutes and 24 hours via Conditional Access or token lifetime policies. The token includes aud, iss, exp, iat, scp (scopes), and appid (client ID).
ID Token: A JWT with a default lifetime of 1 hour. Contains sub, iss, aud, exp, iat, nonce, auth_time, acr (authentication context class reference), and amr (authentication methods reference).
Refresh Token: Opaque string with a default lifetime of 90 days of inactivity (in Entra ID). If not used for 90 days, it expires. Can be revoked by user or admin.
Authorization Code: Short-lived (typically 10 minutes). Must be redeemed once; if intercepted, cannot be reused.
Scopes: In OAuth 2.0, scopes define the permissions the client requests. In Microsoft Graph, common scopes include User.Read, Mail.Read, Files.Read.All. For OIDC, the openid scope is mandatory; profile and email are common additional scopes.
Client Credentials Grant: Used for application-to-application (daemon) scenarios. No user involved. The client authenticates directly with its own credentials (client secret or certificate) to obtain an access token.
On-Behalf-Of (OBO) Flow: Allows a middle-tier service to obtain tokens on behalf of the user to call downstream services. Uses the urn:ietf:params:oauth:grant-type:jwt-bearer grant type.
4. Configuration and Verification Commands
In Azure, you can configure OAuth 2.0 settings in the App Registration blade. Key settings include: - Redirect URIs: Must be exact match, including protocol and trailing slash. - Implicit grant: Legacy; should be avoided. Allows returning tokens directly in the URL fragment for SPAs. - Certificates & secrets: Client secrets (string) or certificates (X.509) for client authentication. - API permissions: Define required scopes and grant admin consent.
To verify token content, use a JWT decoder (e.g., jwt.ms). For example, an access token decoded looks like:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{tenant-id}/",
"iat": 1680000000,
"nbf": 1680000000,
"exp": 1680003600,
"appid": "00001111-aaaa-2222-bbbb-3333cccc4444",
"scp": "User.Read Mail.Read",
"sub": "...",
"tid": "...",
"ver": "2.0"
}To test the flow, you can use the Microsoft Authentication Library (MSAL) or tools like Postman with the OAuth 2.0 authorization code grant.
5. Interaction with Related Technologies
OAuth 2.0 and OIDC are the foundation for almost all modern authentication in Entra ID. They integrate with: - Conditional Access: Policies can require specific authentication strengths (e.g., MFA) or block certain locations. The authorization server enforces these policies during token issuance. - Microsoft Graph: The resource server that validates access tokens for Microsoft 365 data. - Azure AD B2C: A separate service that uses the same protocols but allows custom user journeys and social identity providers. - Federation (e.g., AD FS): When federated, the Entra ID authorization server redirects to the on-premises STS for authentication, but the token issuance still follows OAuth 2.0/OIDC. - Managed Identities: Use a variant of the client credentials grant; Azure automatically manages the token acquisition for Azure resources like VMs and Functions.
6. Security Considerations
Client Secrets: Should be rotated regularly. Prefer certificate-based authentication for higher security.
Redirect URIs: Must use HTTPS except for localhost development. Open redirectors can be exploited.
State Parameter: Should be used to prevent CSRF attacks. The authorization server returns the state value unchanged.
Nonce: In OIDC, the nonce parameter in the request is included in the ID token to prevent replay attacks.
Token Binding: Not widely used, but can bind tokens to the TLS connection.
7. Common Exam Traps
OAuth 2.0 is for authorization, OIDC is for authentication. The exam will test whether you know that OAuth 2.0 alone does not identify the user; OIDC adds identity.
Access tokens are opaque to the client. The client should not parse an access token; it should treat it as a string. Only the resource server should decode it.
Refresh tokens are not part of OAuth 2.0 core. They are defined in a separate RFC (RCF 6749 does not mandate refresh tokens; they are optional). Entra ID issues them by default for the authorization code grant.
Implicit grant is deprecated. The exam may ask about the recommended flow for SPAs: the authorization code grant with PKCE.
8. Summary of Flows in Entra ID
Authorization Code Grant (with PKCE): Recommended for web apps and SPAs.
Client Credentials Grant: For daemon apps.
On-Behalf-Of Flow: For middle-tier APIs.
Device Authorization Grant: For devices with limited input (e.g., IoT).
Resource Owner Password Credentials Grant: Not recommended; requires high trust and does not support MFA. Entra ID blocks it by default for new tenants.
Understanding these flows and their use cases is critical for SC-900 scenario questions.
Client initiates authorization request
The client application constructs a URL to the authorization server's `/authorize` endpoint. The URL includes query parameters: `client_id` (the application's ID in Entra ID), `response_type=code` (for authorization code grant), `redirect_uri` (where the user will be sent after authentication), `scope` (e.g., `openid profile email User.Read`), and `state` (a unique value to prevent CSRF). The client redirects the user's browser to this URL. In Entra ID, the endpoint is `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize`. The user sees the Microsoft login page.
User authenticates and consents
The authorization server (Entra ID) presents the login page. The user enters credentials. If MFA is required by Conditional Access, the user completes additional verification. After successful authentication, the server checks if the client has been granted consent for the requested scopes. If not, the user sees a consent screen listing the permissions. The user can accept or deny. If denied, the server redirects back to the client with an error. If accepted, the server proceeds.
Authorization code returned to client
The authorization server redirects the user's browser to the `redirect_uri` with a query parameter `code` containing the authorization code. The code is a short-lived (10 minutes) one-time use string. The redirect also includes the `state` parameter unchanged. The client must verify that the returned `state` matches the one it sent to prevent CSRF. The client now has the authorization code but cannot use it directly—it must exchange it for tokens.
Client exchanges code for tokens
The client makes a POST request to the token endpoint `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token`. The body includes `grant_type=authorization_code`, `code` (the authorization code), `redirect_uri` (must match the original), and `client_id`. The client also authenticates itself using a client secret or certificate. The server validates the code, ensures it hasn't been redeemed, and issues an access token, an ID token (if `openid` scope was requested), and optionally a refresh token. The response is JSON.
Client uses access token to access resources
The client includes the access token in the `Authorization` header of HTTP requests to the resource server (e.g., Microsoft Graph API) as a Bearer token. The header looks like `Authorization: Bearer eyJ0eXAiOiJKV1Qi...`. The resource server validates the token: checks the signature against the JWKS endpoint, verifies the `aud` claim matches its own identifier, checks `exp` is not expired, and ensures the `scp` claim contains the required scopes. If valid, the server returns the requested data.
Enterprise Scenario 1: Single-Page Application (SPA) Accessing Microsoft Graph
A company builds a React SPA that reads user calendar events from Microsoft Graph. The app uses MSAL.js to implement the authorization code grant with PKCE. The redirect URI is registered as https://app.contoso.com/callback. The app requests scopes openid profile User.Read Calendars.Read. When a user signs in, they are redirected to Entra ID, authenticate with MFA (enforced by Conditional Access), and consent. The app receives an authorization code, exchanges it for tokens, and uses the access token to call Graph. The access token expires after 1 hour; the app uses the refresh token to silently acquire a new token. Common issues: incorrect redirect URI (trailing slash mismatch), expired client secret, or missing admin consent for delegated permissions.
Enterprise Scenario 2: Daemon Service Calling Microsoft Graph
A background service needs to read all users' profiles in the tenant. No user interaction is possible. The app uses the client credentials grant. The app registers a client secret and requests application permissions (e.g., User.Read.All). An admin must grant admin consent for this permission because it allows access to all users. The app authenticates directly to the token endpoint with its client credentials and receives an access token. The token has no user context; the sub claim is the app's service principal. The service then calls Graph with this token. Performance consideration: token acquisition is fast (milliseconds), but the token must be cached to avoid hitting rate limits. Misconfiguration: if the client secret is exposed, an attacker can obtain tokens with high privileges. Best practice: use certificate-based authentication and rotate secrets regularly.
Enterprise Scenario 3: Multi-Tier API Using On-Behalf-Of Flow
A web API (middle-tier) receives a request from a client app and needs to call another downstream API (e.g., Microsoft Graph) on behalf of the original user. The web API receives an access token scoped for its own API. It then uses the On-Behalf-Of flow: it sends a POST to the token endpoint with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer, assertion (the incoming token), scope (e.g., User.Read), and client_id/client_secret. Entra ID validates the incoming token and issues a new access token for the downstream API. The web API must be configured as an 'exposed API' with appropriate scopes and have permissions to the downstream API. Common failure: the incoming token's aud does not match the middle-tier API's client ID, or the middle-tier API lacks delegated permissions.
SC-900 Objective 2.1: Describe the authentication and authorization capabilities of Microsoft Entra ID. This includes understanding OAuth 2.0 and OpenID Connect as the protocols used for authorization and authentication respectively. The exam expects you to:
Distinguish between authentication (OIDC) and authorization (OAuth 2.0).
Identify the correct flow for a given scenario (e.g., daemon app uses client credentials, SPA uses authorization code with PKCE).
Recognize the purpose of tokens: access token (authorization), ID token (authentication), refresh token (obtain new tokens).
Know that OAuth 2.0 is an authorization framework, not an authentication protocol.
Understand that OpenID Connect adds an ID token and the openid scope.
Common Wrong Answers: 1. "OAuth 2.0 is used for authentication." - Wrong because OAuth 2.0 is for authorization only. Candidates confuse the fact that OAuth 2.0 involves user login, but the protocol itself does not provide identity information. 2. "The ID token is used to access resources." - Wrong. The ID token is for the client to authenticate the user; the access token is used to access resources. Candidates often mix up the two tokens. 3. "Refresh tokens are part of the OAuth 2.0 core specification." - Wrong. Refresh tokens are optional and defined in a separate RFC. Many candidates assume they are always present. 4. "The implicit grant is the recommended flow for SPAs." - Wrong. The implicit grant is deprecated due to security concerns; the authorization code grant with PKCE is now recommended. The exam may test this.
Specific Numbers and Terms:
Default access token lifetime: 1 hour (60 minutes).
Default refresh token lifetime: 90 days of inactivity.
Authorization code lifetime: 10 minutes.
The openid scope is required for OIDC.
Token endpoint: /oauth2/v2.0/token.
Authorize endpoint: /oauth2/v2.0/authorize.
Edge Cases:
If a client uses the authorization code grant without PKCE and the authorization code is intercepted, it can be exchanged by an attacker. PKCE (Proof Key for Code Exchange) mitigates this by binding the code to the original client.
When using client credentials, there is no user, so refresh tokens are not issued.
Conditional Access policies can be evaluated during token issuance, affecting whether the token is granted even if credentials are valid.
How to Eliminate Wrong Answers:
If the question mentions "identity" or "who the user is," the answer likely involves OIDC or ID tokens.
If the question mentions "access to a resource" or "permissions," it is about OAuth 2.0 or access tokens.
If the scenario has no user (daemon), the answer is client credentials grant.
If the scenario involves a mobile or SPA, look for PKCE.
OAuth 2.0 is for authorization; OpenID Connect is for authentication.
Access tokens authorize access to resources; ID tokens authenticate the user.
Default access token lifetime in Entra ID is 1 hour; refresh tokens expire after 90 days of inactivity.
The authorization code grant with PKCE is the recommended flow for SPAs and mobile apps.
Client credentials grant is used for daemon apps with no user context.
The 'openid' scope is required to obtain an ID token.
Authorization codes are valid for 10 minutes and can only be used once.
These come up on the exam all the time. Here's how to tell them apart.
OAuth 2.0
Authorization framework only
Issues access tokens
Does not define user identity
Scopes define resource access
RFC 6749
OpenID Connect
Authentication layer on top of OAuth 2.0
Issues ID tokens (JWT) with identity claims
Provides user authentication
Uses 'openid' scope
OIDC Core 1.0
Mistake
OAuth 2.0 is an authentication protocol.
Correct
OAuth 2.0 is an authorization framework. It does not provide the client with information about the user's identity. Authentication is provided by OpenID Connect, which adds an ID token containing identity claims.
Mistake
The access token is used to identify the user.
Correct
The access token is for authorization—it grants access to resources. The resource server uses it to check permissions, not identity. The ID token is for identity.
Mistake
Refresh tokens never expire.
Correct
In Microsoft Entra ID, refresh tokens expire after 90 days of inactivity. They can also be revoked by user or admin action.
Mistake
The implicit grant is the best flow for single-page applications.
Correct
The implicit grant is deprecated due to security risks (token in URL fragment). The recommended flow is the authorization code grant with PKCE.
Mistake
Client credentials grant can be used for user delegation scenarios.
Correct
Client credentials grant is for daemon apps that act as themselves, not on behalf of a user. For user delegation, use authorization code grant or on-behalf-of flow.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
OAuth 2.0 is an authorization framework that allows a client to obtain an access token to access resources on behalf of a resource owner. It does not provide identity information. OpenID Connect is an authentication protocol built on OAuth 2.0 that adds an ID token, which contains claims about the user's identity. In short, OAuth 2.0 answers 'what can you do?' while OIDC answers 'who are you?'.
The ID token is a JSON Web Token (JWT) that contains claims about the authenticated user, such as subject identifier, issuer, audience, and authentication time. The client uses the ID token to verify the user's identity. It should not be used for authorization; that is the role of the access token.
PKCE (Proof Key for Code Exchange) is an extension to the authorization code grant to prevent authorization code interception attacks. The client creates a cryptographically random code verifier and its challenge, and sends the challenge when requesting the authorization code. When exchanging the code for tokens, the client sends the verifier; the server verifies it matches the challenge. This ensures that even if the authorization code is intercepted, it cannot be exchanged without the verifier.
By default, access tokens in Microsoft Entra ID are valid for 1 hour (60 minutes). This can be configured using token lifetime policies in Conditional Access or via PowerShell, with a range from 10 minutes to 24 hours.
The client credentials grant is used for server-to-server (daemon) scenarios where the application needs to access resources on its own behalf, not on behalf of a user. The client authenticates using its own credentials (client secret or certificate) and receives an access token. No user is involved, so no refresh token is issued.
Yes. OAuth 2.0 can be used alone for authorization only. For example, a daemon app using client credentials grant does not need OIDC because there is no user to authenticate. However, if you need to know who the user is, you must use OIDC.
The 'state' parameter is a unique, non-guessable value generated by the client and sent in the authorization request. It is returned unchanged by the authorization server. The client verifies that the returned state matches the sent state to prevent cross-site request forgery (CSRF) attacks.
You've just covered OAuth 2.0 and OpenID Connect in Entra — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?