From 57351609426ef5bdbf1e7370e347c3a1c786c84b Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Tue, 10 Dec 2024 12:32:29 -0500
Subject: [PATCH 1/2] oidc/azure: add a note to get v2 tokens

Adds a note to obtain V2 tokens in Microsoft Entra.
---
 content/docs/identity-providers/azure.mdx | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/content/docs/identity-providers/azure.mdx b/content/docs/identity-providers/azure.mdx
index c49cf99bd..51b243b5b 100644
--- a/content/docs/identity-providers/azure.mdx
+++ b/content/docs/identity-providers/azure.mdx
@@ -90,6 +90,12 @@ You will use the [**Group ID**](https://docs.microsoft.com/en-us/graph/api/group
 
 :::
 
+:::note
+
+Pomerium uses v2.0 Entra Access Token, make sure your application manifest has [`accessTokenAcceptedVersion`](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute) set to `2`. If you use Terraform to configure your Entra application, set [`requested_access_token_version = 2`](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application.html#requested_access_token_version-1) of an `azuread_application`.
+
+:::
+
 1. From the **App registrations** page, select **API permissions**:
 
    - Select **+ Add a permission**, then **Microsoft Graph API**

From 3c2ca890b72e4874f918a774cd075bf6bc20b110 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Tue, 10 Dec 2024 13:35:25 -0500
Subject: [PATCH 2/2] wording

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
---
 content/docs/identity-providers/azure.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/docs/identity-providers/azure.mdx b/content/docs/identity-providers/azure.mdx
index 51b243b5b..cee5e2556 100644
--- a/content/docs/identity-providers/azure.mdx
+++ b/content/docs/identity-providers/azure.mdx
@@ -92,7 +92,7 @@ You will use the [**Group ID**](https://docs.microsoft.com/en-us/graph/api/group
 
 :::note
 
-Pomerium uses v2.0 Entra Access Token, make sure your application manifest has [`accessTokenAcceptedVersion`](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute) set to `2`. If you use Terraform to configure your Entra application, set [`requested_access_token_version = 2`](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application.html#requested_access_token_version-1) of an `azuread_application`.
+We recommend using the v2.0 access token format, which you can request by setting the application manifest [`accessTokenAcceptedVersion`](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute) attribute to `2`. If you use Terraform to configure your Entra application, set [`requested_access_token_version = 2`](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application.html#requested_access_token_version-1) in your `azuread_application`.
 
 :::