--- alias: operation-guide-security-portal-strategy-azuread description: "This documentation outlines OAuth 2.0 authorization flows for secure API access" --- # Microsoft Entra ID This strategy accesses an Active Directory structure stored directly in the Microsoft Azure cloud. The OAuth 2.0 specification is a flexible authorization framework that describes a number of methods (grants) for a client application to acquire an access token (which represents the permission for a specific client to access their data). This token can then be used to authenticate a request to an API endpoint. Simply put, the flow can be summarized as follows: A client application makes an authorization request to an authorization endpoint, receives a short-lived authorization code, makes a token request to a token endpoint using the authorization code, resulting in an access token. If the access token expires, the client can request a new token from the token endpoint by specifying a refresh token as the grant type. ![Authorization Flow Refresh Token][authorizationFlowRefresh] For additional security, client applications can use the OAuth 2.0 Authorization Code Flow with an enhancement mechanism known as Proof Key for Code Exchange (PKCE) to prevent man-in-the-middle attacks and ensure that URL redirects are not intercepted. This mechanism introduces a secret called the Code Verifier, created by the calling application, which can be verified by the authorization server. Moreover, the application creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier. ![Authorization Flow PKCE][authorizationFlowPKCE] Furthermore, there are two options for configuring the application: 1. Create a custom package to define the client_secret (as it is not yet possible to define the secret through DevOps Center installations). !!! note Defining the client secret via DevOps Center will be possible in a future version. 2. Configure the application as a **Mobile and desktop application** to use PKCE authentication. [authorizationFlowRefresh]: ../../images/security_portal_oauth2_authorizationflow_refresh.jpg [authorizationFlowPKCE]: ../../images/security_portal_oauth2_authorizationflow_pkce.png