Skip to main content

Technical Support Changes in Entra ID

This topic highlights features which PwC Identity supported in ForgeRock, but which are no longer supported in Entra ID, whether due to Microsoft architecture or PwCID design decision.

IMPORTANT NOTE - Logout Functionality

A finding was reported around "improper logout functionality" for the Entra ID service. An approved exception (FND-58258) for the identified risk is in place which is valid until July 2026.

While the exception is in place, the Identity Services team is working with the ISP Committee to update the wording for ISP Controls Standard AC2.1.2 (f) to reflect our newer technologies, such as SaaS services.


The table below outlines each feature, pointing teams in the right direction for moving forward with their Entra ID migration(s):

Legacy FeatureStatusGo-Forward Guidance
Application Testing
Production vs. Non-Production Environments
PwC user data is no longer identical across Prod / Non-Prod environmentsRefer to the topic on Application Testing by Environment
External User Accounts & Invitations / Federated Guest UsersUnlike Forgerock OpenAM, Entra ID requires guest accounts to be registered for direct federation or B2B to work.

Client guest users are required to redeem the B2B guest invitation before being granted access to a given application.
Users can follow this Microsoft guide or use this direct link to redeem their invitation.

This docusite topic contains guidance around external user registration, while also broadly covering external user types, their management, and lifecycles in Entra ID.

Federated Guest Users: Refer to this subsection of the same article, which includes links to the user experience for these users.
LDAP
Lightweight Directory Access Protocol
Not Supported in Entra IDRefer to this site's LDAP guidance for technical considerations and next steps
Logout FunctionalityEntra ID's approach to user logouts raised a security finding related to the ISP.While an approved, but temporary exception is in place, refer to the ⚠️ Logout Functionality callout at the top of this article for complete details.
OAuth:
Implicit Grant Flow
No Longer SupportedImplement Authorization Code Flow with PKCE, even for browser-based applications.
OAuth Applications:
Sub claims
The Sub claim for OAuth apps no longer provides the PwC Global User ID (GUID) value. In Entra, 'Sub' is a restricted claim and should not be used to uniquely identify the user.For details, please read Use claims to reliably identify a user.
OAuth Client SecretsOnly valid in Entra ID 12 months by default and can be valid for a maximum duration of 24 months.For details, see Entra ID Client Secrets and Certificates Guide.
PwCPPI
an identity attribute for uniquely identifying application users
Not Supported in Entra ID for apps with external usersRefer to this article for options on implementing new unique identifiers.
Refresh tokensNot issued by Entra in a JWT format, like PwC ID (ForgeRock) does.The application should not attempt to decode an Entra refresh token.