You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article highlights best practices, recommendations, and common oversights when integrating with the Microsoft identity platform. This checklist will guide you to a high-quality and secure integration. Review this list on a regular basis to make sure you maintain the quality and security of your app’s integration with the identity platform. The checklist isn't intended to review your entire application. The contents of the checklist are subject to change as we make improvements to the platform.
22
22
23
-
If you’re just getting started, check out the [Microsoft identity platform documentation](index.yml) to learn about authentication basics, application scenarios in the Microsoft identity platform, and more.
23
+
If you're just getting started, check out the [Microsoft identity platform documentation](index.yml) to learn about authentication basics, application scenarios in the Microsoft identity platform, and more.
24
24
25
25
Use the following checklist to ensure that your application is effectively integrated with the [Microsoft identity platform](./index.yml).
26
26
27
27
> [!TIP]
28
-
> The *Integration assistant*in the Azure portal can help you apply many of these best practices and recommendations. Select any of your [app registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal, and then select the **Integration assistant** menu item to get started with the assistant.
28
+
> The *Integration assistant* can help you apply many of these best practices and recommendations. Select any of your app registrations, and then select the **Integration assistant** menu item to get started with the assistant.
29
29
30
30
## Basics
31
31
@@ -39,7 +39,7 @@ Use the following checklist to ensure that your application is effectively integ
39
39
40
40
 Adhere to the [Branding guidelines for applications](/azure/active-directory/develop/howto-add-branding-in-apps).
41
41
42
-
 Provide a meaningful name and logo for your application. This information appears on your [application’s consent prompt](application-consent-experience.md). Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks.
42
+
 Provide a meaningful name and logo for your application. This information appears on your [application's consent prompt](application-consent-experience.md). Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks.
43
43
44
44
## Privacy
45
45
@@ -53,7 +53,7 @@ Use the following checklist to ensure that your application is effectively integ
53
53
54
54
 Don't enable support for the [OAuth2 implicit grant flow](v2-oauth2-implicit-grant-flow.md) unless explicitly required. Learn about the valid scenario [here](v2-oauth2-implicit-grant-flow.md#suitable-scenarios-for-the-oauth2-implicit-grant).
55
55
56
-
 Move beyond username/password. Don't use [resource owner password credential flow (ROPC)](v2-oauth-ropc.md), which directly handles users’ passwords. This flow requires a high degree of trust and user exposure and should only be used when other, more secure, flows can't be used. This flow is still needed in some scenarios (like DevOps), but beware that using it will impose constraints on your application. For more modern approaches, read [Authentication flows and application scenarios](authentication-flows-app-scenarios.md).
56
+
 Move beyond username/password. Don't use [resource owner password credential flow (ROPC)](v2-oauth-ropc.md), which directly handles users' passwords. This flow requires a high degree of trust and user exposure and should only be used when other, more secure, flows can't be used. This flow is still needed in some scenarios (like DevOps), but beware that using it will impose constraints on your application. For more modern approaches, read [Authentication flows and application scenarios](authentication-flows-app-scenarios.md).
57
57
58
58
 Protect and manage your confidential app credentials for web apps, web APIs and daemon apps. Use [certificate credentials](./certificate-credentials.md), not password credentials (client secrets). If you must use a password credential, don't set it manually. Don't store credentials in code or config, and never allow them to be handled by humans. If possible, use [managed identities for Azure resources](../managed-identities-azure-resources/overview.md) or [Azure Key Vault](../../key-vault/general/basic-concepts.md) to store and regularly rotate your credentials.
59
59
@@ -67,9 +67,9 @@ Use the following checklist to ensure that your application is effectively integ
67
67
68
68
 Don't program directly against protocols such as OAuth 2.0 and Open ID. Instead, leverage the [Microsoft Authentication Library (MSAL)](msal-overview.md). The MSAL libraries securely wrap security protocols in an easy-to-use library, and you get built-in support for [Conditional Access](../conditional-access/overview.md) scenarios, device-wide [single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md), and built-in token caching support. For more info, see the list of Microsoft-supported [client libraries](reference-v2-libraries.md). If you must hand-code for the authentication protocols, you should follow the [Microsoft SDL](https://www.microsoft.com/sdl/default.aspx) or similar development methodology. Pay close attention to the security considerations in the standards specifications for each protocol.
69
69
70
-
 Migrate existing apps from Azure Active Directory Authentication Library (ADAL) to the [Microsoft Authentication Library](/entra/msal). MSAL is Microsoft’s latest identity platform solution and is available on .NET, JavaScript, Android, iOS, macOS, Python, and Java. Read more about migrating [ADAL.NET](msal-net-migration.md), [ADAL.js](msal-compare-msal-js-and-adal-js.md), and [ADAL.NET and iOS broker](msal-net-migration-ios-broker.md) apps.
70
+
 Migrate existing apps from Azure Active Directory Authentication Library (ADAL) to the [Microsoft Authentication Library](/entra/msal). MSAL is Microsoft's latest identity platform solution and is available on .NET, JavaScript, Android, iOS, macOS, Python, and Java. Read more about migrating [ADAL.NET](msal-net-migration.md), [ADAL.js](msal-compare-msal-js-and-adal-js.md), and [ADAL.NET and iOS broker](msal-net-migration-ios-broker.md) apps.
71
71
72
-
 For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a “broker redirect URI” configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible.
72
+
 For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a "broker redirect URI" configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible.
73
73
74
74
 In web apps or web APIs, keep one token cache per account. For web apps, the token cache should be keyed by the account ID. For web APIs, the account should be keyed by the hash of the token used to call the API. MSAL.NET provides custom token cache serialization in the .NET Framework and .NET Core subplatforms. For security and performance reasons, our recommendation is to serialize one cache per user. For more information, read about [token cache serialization](msal-net-token-cache-serialization.md).
75
75
@@ -83,17 +83,17 @@ Use the following checklist to ensure that your application is effectively integ
83
83
84
84
 Minimize the number of times a user needs to enter login credentials while using your app by attempting silent authentication (silent token acquisition) before interactive flows.
85
85
86
-
 Don't use “prompt=consent” for every sign-in. Only use prompt=consent if you’ve determined that you need to ask for consent for additional permissions (for example, if you’ve changed your app’s required permissions).
86
+
 Don't use "prompt=consent" for every sign-in. Only use prompt=consent if you've determined that you need to ask for consent for additional permissions (for example, if you've changed your app's required permissions).
87
87
88
88
 Where applicable, enrich your application with user data. Using the [Microsoft Graph API](https://developer.microsoft.com/graph) is an easy way to do this. The [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) tool that can help you get started.
89
89
90
90
 Register the full set of permissions that your app requires so admins can grant consent easily to their tenant. Use [incremental consent](./permissions-consent-overview.md#consent) at run time to help users understand why your app is requesting permissions that may concern or confuse users when requested on first start.
91
91
92
-
 Implement a [clean single sign-out experience](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut). It’s a privacy and a security requirement, and makes for a good user experience.
92
+
 Implement a [clean single sign-out experience](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut). It's a privacy and a security requirement, and makes for a good user experience.
93
93
94
94
## Testing
95
95
96
-
 Test for [Conditional Access policies](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) that may affect your users’ ability to use your application.
96
+
 Test for [Conditional Access policies](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) that may affect your users' ability to use your application.
97
97
98
98
 Test your application with all possible accounts that you plan to support (for example, work or school accounts, personal Microsoft accounts, child accounts, and sovereign accounts).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments