I'm trying to integrate a custom app with Entrea (previously Azure AD) using SCIM to handle deactivation of users, but I need some advise on the security of the connection.
Microsoft offers two ways of securing the connection:
- A long-lived bearer token
- Microsoft Entra bearer token
The first option is relatively simple, but, is not really something I'd prefer to use since you need to trust the handling of the stored token. If I'm gonna generate the token I need to send it securely to my customer, and there is no way I can know for sure if incidents occur because the customer handled the token badly.
So, I was looking into the second option, which looks like a dynamic JWT token, with sufficient information to identify the requests coming from the right tenant, which we should (or so I assume) can verify using public keys served by Azure. But... the paragraph on the Microsoft Entra token ends with: "The token generated by the Microsoft Entra provisioning service should only be used for testing. It shouldn't be used in production environments." And I can't understand why this line was added, as to me in theory it sounds like the most secure one of the two?
The second option has some nuanced security issues that don't make it suitable for production usage, hence the note in the documentation.
Your application needs to generate long-lived bearer tokens for your customers if it is being used via the AAD/Entra custom non-gallery application's generic SCIM connector. If this is a multi-tenant app and you intend to list it in the Entra Enterprise Application Gallery, the gallery integration can be configured to support OAuth 2.0 Authorization Code Grant flow or Client Credential Grant flow.