Technical Support Changes in Entra ID
This topic highlights features which PwC Identity supported in ForgeRock, but which are no longer supported in Entra ID, whether due to Microsoft architecture or PwCID design decision.
A finding was reported around "improper logout functionality" for the Entra ID service. An approved exception (FND-58258) for the identified risk is in place which is valid until July 2026.
While the exception is in place, the Identity Services team is working with the ISP Committee to update the wording for ISP Controls Standard AC2.1.2 (f) to reflect our newer technologies, such as SaaS services.
In the interim, we are recommending to implement the following controls:
Primary Control
Applications which are external facing and/or store highly confidential data must automatically revalidate or timeout an inactive session after 15 minutes.
Secondary Control
Implement MFA for additional security protection to reduce the risk of unauthorized access
The table below outlines each feature, pointing teams in the right direction for moving forward with their Entra ID migration(s):
| Legacy Feature | Status | Go-Forward Guidance |
|---|---|---|
| Application Testing Production vs. Non-Production Environments | PwC user data is no longer identical across Prod / Non-Prod environments | Refer to the topic on Application Testing by Environment |
| External User Accounts & Invitations / Federated Guest Users | Unlike Forgerock OpenAM, Entra ID requires guest accounts to be registered for direct federation or B2B to work. Client guest users are required to redeem the B2B guest invitation before being granted access to a given application. | Users can follow this Microsoft guide or use this direct link to redeem their invitation. This docusite topic contains guidance around external user registration, while also broadly covering external user types, their management, and lifecycles in Entra ID. Federated Guest Users: Refer to this subsection of the same article, which includes links to the user experience for these users. |
| LDAP Lightweight Directory Access Protocol | Not Supported in Entra ID | Refer to this site's LDAP guidance for technical considerations and next steps |
| Logout Functionality | Entra ID's approach to user logouts raised a security finding related to the ISP. | While an approved, but temporary exception is in place, refer to the ⚠️ Logout Functionality callout at the top of this article for complete details. |
| OAuth: Implicit Grant Flow | No Longer Supported | Implement Authorization Code Flow with PKCE, even for browser-based applications. |
OAuth Applications:Sub claims | The Sub claim for OAuth apps no longer provides the PwC Global User ID (GUID) value. In Entra, 'Sub' is a restricted claim and should not be used to uniquely identify the user. | For details, please read Use claims to reliably identify a user. |
| OAuth Client Secrets | Only valid in Entra ID 12 months by default and can be valid for a maximum duration of 24 months. | For details, see Entra ID Client Secrets and Certificates Guide. |
| PwCPPI an identity attribute for uniquely identifying application users | Not Supported in Entra ID for apps with external users | Refer to this article for options on implementing new unique identifiers. |
| Refresh tokens | Not issued by Entra in a JWT format, like PwC ID (ForgeRock) does. | The application should not attempt to decode an Entra refresh token. |