configure application registration in Azure AD

Application Registration in Azure AD involves setting up your app in the Azure portal; basically to authenticate users and request access to resources. It’s a two-step process: registering the application (where details about your app are configured) and granting permissions (determining access level). When an app is registered, a unique ‘Application (client) ID’ is generated.

Steps to Configure Application Registration in Azure AD

Step 1: Sign-in and Access App Registrations

Sign in to the Azure portal and seek out ‘Azure Active Directory’. Select ‘App registrations’ and thereafter ‘New registration’.

Step 2: Register your Application

Input your ‘Name’, check ‘Who can use the application or access the API’, then, under ‘Redirect URI’, designate a ‘Type’, and state your ‘Redirect URI’. Click ‘Register’ afterwards.

Step 3: Authentication Configuration

After the application is registered, select ‘Authentication’ under ‘Manage’. There, you can add a platform using the ‘Add a platform’ option.

For ‘Web Applications’, provide a ‘Redirect URI’ (where Azure AD sends tokens) and ‘Logout URL’ (where users are redirected post sign out). Ensure they’re accessible through HTTPS.

For ‘Public client/native (mobile & desktop)’, state your ‘Redirect URI’. ‘Custom redirect URIs’ can be provided based on preference.

Step 4: Setting API Permissions

Apps must be permitted by admins to access organization data. Go to ‘API permissions’ then ‘Add a permission’. Choose between ‘Microsoft APIs’, ‘My APIs’ or ‘APIs my organization uses’, depending on your app’s needs.

Click on ‘Application permissions’ for service-to-service interactions, or ‘Delegated permissions’ for user-involved interactions.

Step 5: Granting Admin Content

On the ‘API permissions’ page, click ‘Grant admin consent for {tenant}’, then ‘Yes’.

Points to Remember

• Each registered app must have at least one ‘Redirect URI’ – This implies where security tokens are sent from Azure AD to the app.
• Public client (mobile & desktop) applications often rely on the default platform Redirect URI.
• You can register as many apps as necessary in Azure AD, but each must have a unique name.

Conclusion

Effective application registration and configuration in Azure AD not only helps in securing your applications but also ensures seamless integration with Microsoft’s identity infrastructure. As you prepare for your MS-100 Microsoft 365 Identity and Services exam, master these steps to comfortably handle app registration tasks in a real-world scenario.

Practice Test

True or False: Azure Active Directory (Azure AD) provides a platform to manage and secure identity access for an application.

• True
• False

Answer: True.

Explanation: Azure AD provides identity management and access control capabilities for your cloud applications. You can securely sign in to your apps using Microsoft’s identity platform.

In the process of application registration in Azure AD, what should be the first step?

• a) Specify Redirect URI.
• b) Define basic application properties.
• c) Set the permissions required by the application.
• d) Enable an interactive workflow under ‘Authentication’.

Answer: b) Define basic application properties.

Explanation: The first step in application registration involves defining the basic properties of your application.

True or False: In Azure AD application registration, Redirect URIs are optional to add.

• True
• False

Answer: False.

Explanation: Redirect URIs are essential elements in application registration that specify the destinations to which the eventual tokens should be sent.

Which section of Azure AD application registration allows you to specify a Logout URL?

• a) Manifest
• b) Certificates and secrets
• c) Branding
• d) Authentication

Answer: d) Authentication.

Explanation: The ‘Authentication’ section in the Azure portal application registration page allows you to specify a Logout URL.

Multiple select: What can be included in “Define permissions of the application” step during Azure AD application registration?

• a) API permissions
• b) Key permissions
• c) Graph permissions
• d) Azure permissions

Answer: a) API permissions, c) Graph permissions.

Explanation: While defining the permissions for an app, you can specify the APIs it can work with, and whether it can read data, write data or have more extensive permissions.

True or False: Once you have registered an application in Azure AD, you cannot make changes to it.

• True
• False

Answer: False.

Explanation: You can make changes to your application at any time after its initial creation within the Azure portal.

Which section of Azure AD application registration contains “Application ID URI”?

• a) Expose an API
• b) Certificates and secrets
• c) Manifest
• d) API permissions

Answer: a) Expose an API.

Explanation: The ‘Expose an API’ section of application registration in the Azure portal is where you’ll find the “Application ID URI”.

True or False: Certificates and secrets generated in Azure AD do not have an expiration date.

• True
• False

Answer: False.

Explanation: Certificates and secrets that you generate in Azure AD do have an expiration date, typically ranging from 1 to 2 years, depending on the type.

What is the purpose of scope (permission) in Azure AD application?

• a) It is used to secure the database.
• b) It is used to define the kind of access that the application requires.
• c) It is used for exposing an API.
• d) It is used to restrict users’ access to the application.

Answer: b) It is used to define the kind of access that the application requires.

Explanation: Scopes are used to specify the kind of access that a web API requires.

What does the Manifest feature in Azure AD provide?

• a) It provides a JSON file containing the properties of the registered application.
• b) It provides a list of certificates and secrets for the application.
• c) It provides a summary of the registered applications.
• d) It provides a list of all permissions for the application.

Answer: a) It provides a JSON file containing the properties of the registered application.

Explanation: The Manifest is a feature in the Azure AD application registration process that provides a JSON formatted version of all the application properties.

Interview Questions

What is the first step in registering an application in Azure AD?

The first step in registering an application in Azure AD is to sign in to the Azure portal.

What is the purpose of application registration in Azure AD?

Application registration in Azure AD allows your application to be integrated with Azure AD for user authentication and permissions.

Can you change the application’s redirect URI after its registration in Azure AD?

Yes, you can change the application’s redirect URI even after its registration in Azure AD.

What is the need for a redirect URI in Azure AD application registration?

The redirect URI directs the OAuth 2.0 authorization response from Azure AD back to your application.

What is the role of Application ID during application registration in Azure AD?

The Application ID is a unique identifier assigned by Azure AD to your application at registration and used to identify the application during token requests.

How can you assign a role to your registered application in Azure AD?

Roles can be assigned to the application in Azure AD under the ‘App roles’ settings of your application registration in the portal.

Can multiple redirect URIs be set for one application in Azure AD?

Yes, you can add multiple redirect URIs for one application in Azure AD.

How many application objects does application registration in Azure AD create?

Application registration in Azure AD creates two application objects – one in the Azure AD tenant where the application is registered, and the other in the tenant’s application catalogue.

What is the purpose of a client secret in Azure AD application registration?

The client secret, also known as the application password, is used for confidential client scenarios where the application secret is used in the application code to authenticate and get tokens from Azure AD.

Can the same application be registered in multiple Azure AD tenants?

No, an application can only be registered in one Azure AD tenant. However, it can be made multi-tenant which allows it to be used in any Azure AD tenant.

How can permissions be granted to a registered application in Azure AD?

Permissions to a registered application can be granted under the ‘API permissions’ settings in the application registration in Azure AD.

What happens if I delete a registered app from Azure AD?

If a registered application in Azure AD is deleted, all configuration settings, permissions, and roles for that application will also be removed.

What is the use of ‘Grant admin consent’ option in Azure AD application registration?

‘Grant admin consent’ option in Azure AD allows an administrator to pre-consent to all permissions that the application requires, thereby removing the need for individual users to consent.

Can we configure a native application in Azure AD?

Yes, a native application can be configured in Azure AD using the ‘Redirect URIs’ under the Authentication tab in app registration.

What is the ‘Supported account types’ option in Azure AD application registration?

‘Supported account types’ option in Azure AD application registration defines who can use the application or access the API. The options range from single tenant to multitenant and personal Microsoft accounts.