Understanding the concept and procedure of creating an app registration is crucial when preparing for the AZ-500 Microsoft Azure Security Technologies exam.
This post aims to provide a comprehensive guide on how to create an app registration, a fundamental step toward managing the identity and access in Azure Active Resources.
Understanding App Registration
App registration is the process of defining your application’s identity and configurations in the Microsoft identity platform. By registering your app, you’re tying it up with Azure Active Directory (Azure AD) making it possible to authorize access and authentication procedures. This provides the ability to connect your app securely with the Microsoft or third-party APIs that utilize Microsoft identities for authentication.
Creating an App Registration
Creating an app registration in Azure is a straightforward process. Here’s how to do it:
-
Sign in to the Azure portal
Access your Azure Active Directory environment by signing in to the Azure portal.
-
Go to App registrations
Navigate to the Azure Active Directory pane and select “App registrations”.
-
New registration
Click on “New registration.” Provide the name of your application in the “Name” field.
-
Supported account types
On the same page, pick the supported account types which determines who can use the application. For instance, you can restrict access to users within your organization or allow access for users with a personal Microsoft account.
-
Redirect URI (Optional)
You can also optionally provide the Redirect URI, a specific endpoint to which the identity provider sends response tokens. For instance, “https://localhost:31544” or whatever your application’s redirect URL is.
-
Register
After filling out the required details, click the “Register” button to create the app registration.
After successful registration, Azure will provide you with Application (Client) ID and Directory (Tenant) ID values, which you have to save as they’re handy in application configuration.
Considerations during App Registration
During the App registration, you should take note of certain factors:
- The ‘Supported account types’ option: Choose according to how you’d like authentication to be done. The four choices include:
- Accounts in this organizational directory only (Single tenant): Only accounts from your organization will have access.
- Accounts in any organizational directory (Multitenant): Any Azure AD account can access the app.
- Accounts in any organizational directory and personal Microsoft accounts (Multitenant): Any Azure AD account and personal Microsoft accounts have access.
- Personal Microsoft accounts only: Only personal Microsoft accounts can access the app.
- The ‘Redirect URI’ is a destination address where your app receives token responses from the Azure AD. Therefore, it should reflect the specific endpoint in your app that will handle response tokens and codes.
Permissions and Consent
Post creating an App registration, you can specify the permissions your app needs to access the APIs. This includes setting up API permissions and scopes your app can use for two types of permissions, “Delegated” and “Application” permissions.
By following these steps, you can ensure that your app has its unique identity in Azure Active Directory. This identity will enable it to establish a secure connection within Azure and any other Microsoft or third-party APIs. This concept is paramount in Azure Security Technologies and will undoubtedly feature in your AZ-500 exam.
Practice Test
True or False: Azure Active Directory is not required for registering and managing your app in Azure.
- True
- False
Answer: False
Explanation: Azure Active Directory is necessary for app registration and management as it provides identity services that applications use for authentication and authorization.
Which of the following can you configure when you register an app in Azure Active Directory?
- A. Permissions to other APIs
- B. Branding information
- C. Client secrets and certificates
- D. API permissions
- E. All of above
Answer: E. All of above
Explanation: When you register an app in Azure AD, you can configure its permissions to other APIs, branding information, client secrets/certificates, and API permissions.
True or False: When registering an app in Azure, you can choose between two types of accounts: single tenant and multi-tenant.
- True
- False
Answer: True
Explanation: Azure allows you to choose between Single tenant (only accounts in your organization’s directory) or Multitenant (accounts in any organization’s directory) while registering an app.
Which of the following is a correct statement?
- A. You can only add redirect URIs after an app is registered in Azure AD.
- B. Application ID URIs are unique across all apps within a directory.
- C. Every app in Azure AD must have an application ID URI.
- D. None of the above.
Answer: B. Application ID URIs are unique across all apps within a directory.
Explanation: Application ID URIs indeed need to be unique across all apps within a directory. However, redirect URIs can be added at the time of app registration, and not every app must have an application ID URI, it is optional.
When registering an app in Azure, exposing an API is mandatory. True/False?
- True
- False
Answer: False
Explanation: Exposing an API is not mandatory when registering an app in Azure AD. It depends on the app’s need to expose its functionality via an API.
Which of the following does NOT belong in the “Certificates & secrets” section of an app registration in Azure AD?
- A. Upload certificate
- B. New client secret
- C. Imported certificate
- D. API permissions
Answer: D. API permissions
Explanation: API permissions are managed in a separate section from Certificates & secrets.
In which authentication method used by Azure AD app registration, the application presents a certificate to Azure AD, and a token is returned to the application?
- A. Client credentials
- B. Password credentials
- C. Authorization code
- D. Implicit
Answer: A. Client credentials
Explanation: In the client credentials method, the application presents either a certificate or a secret to Azure AD, and if valid, a token is returned to the application.
Which of the following is NOT a necessary step when registering an app on Azure AD?
- A. Configuring an Azure AD Conditional Access policy
- B. Specifying the Type of account to support
- C. Defining a name for the app
- D. Specifying the Redirect URI
Answer: A. Configuring an Azure AD Conditional Access policy
Explanation: Setting up an Azure AD Conditional Access policy is not a necessary step in application registration, it is part of a larger, separate process for applying conditions to control access to your app.
True or False: You need to specify an app’s public client/native (mobile & desktop) status during app registration in Azure.
- True
- False
Answer: True
Explanation: This status helps Azure AD to determine what authentication flows the app can participate in.
For Multi-Tenant apps, Azure AD issues tokens not just to users in the same tenant but from other tenants as well. True/False?
- True
- False
Answer: True
Explanation: A multi-tenant application can accept users from other Azure AD tenants, meaning, not just from the tenant where the app resides.
Interview Questions
What is app registration in Microsoft Azure?
App registration in Microsoft Azure is the process of configuring an application with Azure Active Directory (AD) so that it can use Azure AD to authenticate and authorize users.
What is the first step to creating an app registration in Azure?
The first step in creating an app registration on Azure AD is to sign in to Azure portal.
Where can you create an app registration in the Azure portal?
You can create an app registration in the Azure portal by going to Azure Active Directory, then selecting “App registrations” and clicking on “New registration”.
What is a redirect URI in the context of an Azure app registration?
A redirect URI is a location where Azure AD will send the authentication response, including a token if authentication is successful.
What are the steps to set a Redirect URI in Azure app registration?
After creating a new app registration, go to the “Authentication” page, click on “Add a platform”, and select the appropriate platform. You can then add your redirect URI in the redirected URIs section.
What are user secrets in Azure app registration?
User secrets are sensitive data like API keys, connection strings etc. They are stored in a secret JSON file on the developer machine and not in the project’s source code for security reasons.
How can you delete an App registration in Azure AD?
You can delete an app registration by going to Azure Active Directory, select “App registrations”, then select the application and click on “Delete”.
What is the purpose of the client secret in Azure App Registration?
The client secret is a key generated by Azure AD that your app uses to authenticate with Azure AD for certain types of authentication flows.
How do you generate a client secret in Azure app registration?
In the Azure portal, go to Azure AD, select App registrations, then select the required app. In the app’s management pane, select Certificates & secrets, then click on the New client secret button to generate one.
What happens if you lose the value of a client secret for your app registration in Azure?
If you lose the value of a client secret for your app registration, you won’t be able to retrieve it again from the Azure portal. However, you can create a new client secret as a replacement.
What are the supported account types in Azure app registration?
The supported account types in Azure app registration are Accounts in this organizational directory only (Single tenant), Accounts in any organizational directory (Multitenant), and Accounts in any organizational directory (Multitenant) and personal Microsoft accounts.
How do you define API permissions in Azure app registration?
To define API permissions, go to Azure AD, select App registrations and then the required app. In the management pane, select API permissions. Click the Add a permission button and then select the APIs and the permissions your app requires.
What are Application (client) ID and Directory (tenant) ID in Azure?
Application (client) ID is a unique identifier assigned to your app by Azure AD when you register it. Directory (tenant) ID is a unique identifier representing your Azure AD instance. Both can be found in the app registration Overview page in the Azure portal.
After the app registration, how do you monitor sign-in and audit activity?
After app registration, sign-in and audit activity can be monitored through Azure AD reports and monitoring available in the Azure portal.
Can you create an app registration for a native application in Azure?
Yes, you can create an app registration for a native application in Azure by setting the application type to ‘Native’ in the ‘Create – App registration’ blade in the Azure portal.