Accounts and Identities for the Authorization Server

The hosted authorization server distinguishes two kinds of principals, with different rules:

• Platform administration uses operator accounts that live in the EDK identity store. The platform owner is provisioned during platform tenant bootstrap as a natural person with an identity and protected email identifier, and the credential is written through the hosted AS credential store. The operator signs in through the hosted AS form flow described on the operator sign-in page. Platform administration does not use federated sign-in: the platform AS is an internal authorization server whose sole job is providing admin accounts for platform management, and it is intentionally kept minimal.
• Tenant users sign in through the identity providers registered in the tenant's federation registry. Your IdP remains the system of record for tenant users; the enterprise AS brokers authentication.

The authorization code flow page shows how an authenticated user drives credential issuance.