a recent thread I was involved in distinguished some subtle security scoping (when is an id_token an "idtoken", vs a JWT blob).
My questions are targeted at someone in AAD team who leases with the PCI-DSS certification of azure itself.
Is the MSOL component of the managed accounts login feature "of AAD" included in the PCI DSS certification scope of azure?
Is MSOL "azure", "on azure", "in azure"? For the purposes of PCI DSS?
Similarly, for Microsoft.net'
s openid connect gateway (which may or may not be "MSOL").
Don't want formal answers, just high level direction.
The context is our PCI-DSS software (that would be running on an azure VM). I want to argue, that when one RDPs to a windows box and the WINDOWS Login is (in windows 10 era) an AAD Managed account (vs a traditional local or domain account), does the MSOL site that shows the login pages and does the 2-factor process fall within the PCI-DSS certification of azure?
Said another way, when one lists in the following table AAD, perhaps it just means the API provider of AAD (and not any of MSOL, 2 factor, opened connect gatewaying, etc)
see
http://azure.microsoft.com/en-us/support/trust-center/services/