7 Appendix B: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.
The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.
-
Windows Client releases
Client role
Server role
Windows 7 operating system
Yes
No
Windows 8 operating system
Yes
No
Windows 8.1 operating system
Yes
No
Windows 10 operating system
Yes
No
Windows 11 operating system
Yes
No
-
Windows Server releases
Client role
Server role
Windows Server 2008 operating system
Yes
No
Windows Server 2008 R2 operating system
Yes
No
Windows Server 2012 operating system
Yes
No
Windows Server 2012 R2 operating system
Yes
Yes
Windows Server 2016 operating system
Yes
Yes
Windows Server operating system
Yes
Yes
Windows Server 2019 operating system
Yes
Yes
Windows Server 2022 operating system
Yes
Yes
Windows Server 2025 operating system
Yes
Yes
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 1.6: Support for the OAuth 2.0 protocol in AD FS is available in Windows Server 2012 R2 and later.
<2> Section 1.6: OAuth 2.0 clients running on Windows 8.1 and later implement these mandatory extensions by default.
OAuth 2.0 clients running on Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 implement these mandatory extensions if [MSFT-WKPLJOIN] is installed. However, even with [MSFT-WKPLJOIN] installed, these products support only the resource and resource_params URI parameters.
<3> Section 2.2.2: The prompt parameter is not supported on Windows Server 2012 R2 unless [MSKB-3172614] is installed. Even with [MSKB-3172614] installed, the "none" value for the parameter is not supported on Windows Server 2012 R2.
The prompt parameter is not supported on Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
<4> Section 2.2.2: Even though AD_FS_BEHAVIOR_LEVEL_2 is supported on Windows Server 2016, the amr_values parameter is ignored on Windows Server 2016 unless [MSKB-4022723] is applied.
<5> Section 2.2.2: Even though AD_FS_BEHAVIOR_LEVEL_3 is supported on Windows Server 2016, the mfa_max_age parameter is supported on Windows Server 2016 only if [MSKB-4088889] is installed.
<6> Section 2.2.3: Even though AD_FS_BEHAVIOR_LEVEL_2 is supported on Windows Server 2016, the tbidv2 parameter is ignored on Windows Server 2016 unless [MSKB-4034658] is applied.
<7> Section 2.2.4: [RFC8628] is supported in Windows Server v1809 operating system and later and in Windows Server 2019 and later. It is also supported in Windows Server 2016 if [MSKB-4457127] is installed.
<8> Section 3.1: [RFC8628] is supported in Windows Server v1809 and later and in Windows Server 2019 and later. It is also supported in Windows Server 2016 if [MSKB-4457127] is installed.
<9> Section 3.2.1.1: The following table shows what values ad_fs_behavior_level can be set to on applicable Windows Server releases.
Operating System |
ad_fs_behavior_level values supported |
---|---|
Windows Server 2012 R2 |
AD_FS_BEHAVIOR_LEVEL_1 |
Windows Server 2016 |
AD_FS_BEHAVIOR_LEVEL_1, AD_FS_BEHAVIOR_LEVEL_2, AD_FS_BEHAVIOR_LEVEL_3 |
Windows Server operating system |
AD_FS_BEHAVIOR_LEVEL_1, AD_FS_BEHAVIOR_LEVEL_2, AD_FS_BEHAVIOR_LEVEL_3 |
Windows Server 2019 |
AD_FS_BEHAVIOR_LEVEL_1, AD_FS_BEHAVIOR_LEVEL_2, AD_FS_BEHAVIOR_LEVEL_3, AD_FS_BEHAVIOR_LEVEL_4 |
<10> Section 3.2.5: [IETFDRAFT-DEVICEFLOW-11] is supported in Windows Server v1809 and later and in Windows Server 2019 and later. It is also supported in Windows Server 2016 if [MSKB-4457127] is installed.
<11> Section 3.2.5: The device authorization endpoint is available in Windows Server v1809 and later and in Windows Server 2019 and later. It is also available in Windows Server 2016 if [MSKB-4457127] is installed.
<12> Section 3.2.5.2.1.3: Windows implementations return an access token for the resource given in this request even if the provided refresh token is not a multi-resource refresh token.