Microsoft Entra App Registration provides the ability for the application we are creating to communicate with the Microsoft Graph. This will not only provide access to the graph but also to the specific operations in the graph required to perform our scenario.
Each application you want the Microsoft identity platform to perform identity and access management (IAM) for needs to be registered. Whether it’s a client application like a web or mobile app, or a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform.
- Ensure that you have a active Microsoft 365 subscription.
- Ensure that you have an Microsoft 365 administrative user ID and password.
Create a new Entra application registration
Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, not the other way around.
Follow these steps to create the app registration:
- Go to the Microsoft Entra portal.
- Sign in with your tenant admin credentials.
- In the left pane, under Identity, click Applications and select App registrations.
- Select “New registration” on the top.
- Enter the name. For Supported account types, select Accounts in this organization directory only. Leave the other options as is.
Configure APIs for Configuration
- After the app is registered, click API permissions on the left.
- Click Add a permission.
- Select the Microsoft Graph API box.
- Select the Application permissions box.
- Scroll down, expand the Directory node and select Directory.ReadWrite.All.
- Scroll down, expand the Group node and select Group.ReadWrite.All.
- Click “Add permissions” at the bottom of the list.
- Click Grant admin consent for…
- Answer Yes for Do you want to grant consent for the requested permissions for all accounts in…
- Make sure the green check marks appear for the permissions listed.
Microsoft Entra app registration permissions
In Microsoft Entra, you can delegate application creation and management permissions in the following ways:
- Restricting who can create applications and manage the applications they create. By default, in Entra AD, all users can register application registrations and manage all aspects of the applications they create. This can be restricted to only allow selected people that permission.
- Assigning one or more owners to an application. This is a simple way to grant someone the ability to manage all aspects of Entra AD configuration for a specific application.
- Assigning a built-in administrative role that grants access to manage configuration in Entra AD for all applications. This is the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to other parts of Entra AD not related to application configuration.
- Creating a custom role defining very specific permissions and assigning it to someone either within the scope of a single application as a limited owner or within the directory scope (all applications) as a limited administrator.
It’s important to consider granting access using one of the above methods for two reasons. First, delegating the ability to perform administrative tasks reduces global administrator overhead. Second, using limited permissions improves your security posture and reduces the potential for unauthorized access. Delegation issues and general guidelines are discussed in Delegate administration in Entra Active Directory.
Restrict who can create applications
By default, in Entra AD, all users can register application registrations and manage all aspects of the applications they create. Everyone also has the ability to consent to apps accessing company data on their behalf. You can choose to selectively grant those permissions by setting the global switches to ‘No’ and adding the selected users to the Application Developer role.
To disable the default ability to create application registrations or consent to applications
- Sign in to your Entra AD organization with an account that is eligible for the global administrator role in your Entra AD organization.
- Set one or both of the following:
- On the User settings page for your organization, set the Users can register applications setting to No. This will disable the default ability for users to create application registrations.
- On the user settings for enterprise applications, set the Users can consent to applications accessing company data on their behalf setting to No. This will disable the default ability for users to consent to applications accessing company data on their behalf.
Grant individual permissions
Assign the Application Developer role to grant the ability to create application registrations when the Users can register applications setting is set to No. This role also grants permission to consent on one’s own behalf when the Users can consent to apps accessing company data on their behalf setting is set to No. As a system behavior, when a user creates a new application registration, they are automatically added as the first owner. Ownership permissions give the user the ability to manage all aspects of an application registration or enterprise application that they own.
Assign application owners
Assigning owners is a simple way to grant the ability to manage all aspects of Entra AD configuration for a specific application registration or enterprise application. As a system behavior, when a user creates a new application registration they are automatically added as the first owner. Ownership permissions give the user the ability to manage all aspects of an application registration or enterprise application that they own. The original owner can be removed and additional owners can be added.
Enterprise application owners
As an owner, a user can manage the organization-specific configuration of the enterprise application, such as the single sign-on configuration, provisioning, and user assignments. An owner can also add or remove other owners. Unlike global administrators, owners can manage only the enterprise applications they own.
In some cases, enterprise applications created from the application gallery include both an enterprise application and an application registration. When this is true, adding an owner to the enterprise application automatically adds the owner to the corresponding application registration as an owner.
To assign an owner to an enterprise application
- Sign in to your Entra AD organization with an account that is eligible for the role of application administrator or cloud application administrator for the organization.
- On the App registrations page for the organization, select an app to open the Overview page for the app.
- Select Owners to see the list of owners for the app.
- Select Add to select one or more owners to add to the app.
Assign built-in application admin roles
Entra AD has a set of built-in admin roles for granting access to manage configuration in Entra AD for all applications. These roles are the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Entra AD not related to application configuration.
- Application Administrator: Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegate permissions and application permissions, excluding Microsoft Graph. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
- Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage an application proxy. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
For more information and to view the description for these roles, see the list of available roles.
Follow the instructions in the Assign roles to users with Entra Active Directory how-to guide to assign the Application Administrator or Cloud Application Administrator roles.
Create and assign a custom role (preview)
Creating custom roles and assigning custom roles are separate steps.
- Create a custom role definition and add permissions to it from a preset list. These are the same permissions used in the built-in roles.
- Create a role assignment to assign the custom role.
This separation allows you to create a single role definition and then assign it many times at different scopes. A custom role can be assigned to an organization-wide scope or to the scope of a single Entra AD object. An example of an object scope is a single app registration. Using different scopes, the same role definition can be assigned to Sally for all app registrations in the organization and then to Naveen for only the Contoso Expense Reports app registration.
Tips for creating and using custom roles for delegating application management:
- Custom roles only grant access to the most current app registration blades of the Entra AD portal. They do not grant access to the legacy app registration blades.
- Custom roles do not grant access to the Entra AD portal when the “Restrict access to Entra AD administration portal” user setting is set to Yes.
- App registrations the user has access to using role assignments only show up in the ‘All applications’ tab on the App registration page. They do not show up in the ‘Owned applications’ tab.
Configure secret for the app registration
- Select Certificates & secrets.
- Scroll to the bottom and select new client secret.
Enter the following details for your client secret:
Where U# = the letter ‘U’ and the number in your user id, for example User1 would be U1CreateAppSecret
- Click Add.
- Copy the generated secret value and place it in Notepad.
Note: This must be done, as the secret value display will disappear and cannot be copied later.
- Click overview.
- Copy the application (client) ID and directory (tenant) ID and keep them secret.
- When registration completes, the Entra portal displays the app registration Overview pane, which includes its Application (client) ID. Also referred to as just client ID, this value uniquely identifies your application in the Microsoft identity platform.
- Your application’s code, or more typically an authentication library used in your application, also uses the client ID as one aspect of validating the security tokens it receives from the identity platform.
Entra app registration reply url
A redirect URI, or reply URL, is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. The authorization server sends the code or token to the redirect URI, so it’s important you register the correct location as part of the app registration process.
The following restrictions apply to redirect URIs:
- The redirect URI must begin with the scheme
https. There are some exceptions for localhost redirect URIs.
- The redirect URI is case-sensitive. Its case must match the case of the URL path of your running application. For example, if your application includes as part of its path
.../abc/response-oidc, do not specify
.../ABC/response-oidcin the redirect URI. Because the web browser treats paths as case-sensitive, cookies associated with
.../abc/response-oidcmay be excluded if redirected to the case-mismatched
Maximum number of redirect URIs
This table shows the maximum number of redirect URIs you can add to an app registration in the Microsoft Identity Platform.
|Accounts being signed in||Maximum number of redirect URIs||Description|
|Microsoft work or school accounts in any organization’s Entra Active Directory (Entra AD) tenant||256|
|Personal Microsoft accounts and work and school accounts||100|
Maximum URI length
You can use a maximum of 256 characters for each redirect URI you add to an app registration.
Also read: The Best Connect to Entra AD PowerShell Reviewed.
Entra app registration vs enterprise application
There are many apps that are published by companies. Enterprise apps are apps that are deployed and used within your organization, and you can manage single sign-on settings for them through the Entra portal. If you want to add your own app and integrate it with Entra AD, you need to register the app in App registrations. Also, if you grant permissions to your app, it will occur in enterprise applications. If your app is added from the gallery, you cannot configure the reply URL. You can only configure your own app in application registrations.
The enterprise applications blade represents service prinicipals rather than applications. A service principal can be thought of as an instantiation of your application for the tenant. In the example of multi-tenancy, you as an app developer, may register an application, then have multiple tenants sign in & consent to the app. At that point, each of those tenants will get a Service Principal provisioned into their tenant and it will show up in the Enterprise Apps section. To prompt a service principal to be provisioned in the same tenant as the app registration, you simply need to complete a sign-in request and consent to the application. It should show up after that.
Entra native app registration
- You can use the Entra Active Directory (Entra AD) Application Proxy to publish web apps, but it can also be used to publish native client applications that are configured with the Microsoft Authentication Library (MSAL). Native client applications differ from web apps because they are installed on a device, while web apps are accessed through a browser.
- To support native client applications, Application Proxy accepts Entra AD-issued tokens that are sent in the header. The application proxy service does the authentication for the users. This solution doesn’t use application tokens for authentication.
- To publish native applications, use the Microsoft Authentication Library, which takes care of authentication and supports many client environments. Application Proxy fits into the desktop app that calls a web API on behalf of a signed-in user scenario.
- For more information about native app registration, see How to enable native client applications to interact with proxy applications.
Entra AD app registration PowerShell
We are going to see how to register an app in Entra AD via PowerShell to take advantage of this.
The Entra AD Module needs to be added to PowerShell prior to getting started. Execute the command below in PowerShell using elevated or administrative status:
Once the Module is installed, run the following command in the same PowerShell window to connect to the required Azure AD tenant:
Note: The required tenant ID will be required in subscriptions with multiple tenants. The tenantID value can be found in the Entra Portal by navigating to Identity > Overview and is listed under Tenant ID.
Run the following command in the same PowerShell window to connect to the specific Entra AD tenant ID (if required):
Connect-AzureAD -TenantId “Insert Directory ID here“
Creating the Entra AD App Registration
Next, the following cmdlet is run, now that the required Entra AD tenant is connected to PowerShell, to capture the name of the application and the IdentifierURI.
$appName = “SalesApp”
$appURI = “https://techieberrysalesapp.techieberry.onmicrosoft.com”
$appHomePageUrl = “http://www.techieberry.com/”
$appReplyURLs = @($appURI, $appHomePageURL, “https://localhost:1234”)
if(!($myApp = Get-AzureADApplication -Filter “DisplayName eq ‘$($appName)'” -ErrorAction SilentlyContinue))
$myApp = New-AzureADApplication -DisplayName $appName -IdentifierUris $appURI -Homepage $appHomePageUrl -ReplyUrls $appReplyURLs
Adding the app key
With the required URIs now captured, it is time to add the application key. The key will be stored in the Entra Key Vault which ensures its security and disallows unauthorized access. Run the following command to invoke this process:
$Guid = New-Guid
$startDate = Get-Date
$PasswordCredential = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordCredential
$PasswordCredential.StartDate = $startDate
$PasswordCredential.EndDate = $startDate.AddYears(1)
$PasswordCredential.KeyId = $Guid
$PasswordCredential.Value = ([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(($Guid))))
Note: The PasswordCredential value is created as a Base64 value and is saved in the Entra Key Vault.
This process can also be completed via the Entra Portal but it will take more time.
This completes the Entra AD app registration.