Step-By-Step Azure AD App Registration

Enterprise developers and software-as-a-service (SaaS) providers can develop commercial cloud services or line-of-business applications, that can be integrated with Azure Active Directory (Azure AD) to provide secure sign-in and authorization for their services. To integrate an application or service with Azure AD, a developer must first register the application with Azure AD.

Any application that wants to use the capabilities of Azure AD must first be registered in an Azure AD tenant. This registration process involves giving Azure AD details about your application, such as the URL where it’s located, the URL to send replies after a user is authenticated, the URI that identifies the app, and so on. 

In the upcoming series of articles will see different 'grant_type' and which one to use for what scenario?
how to use in Daemon-Headless-App calling secure WebAPI - client_credentials/password_credentials
how to use in Windows-Forms-App calling secure WebAPI - code_credentials
how to secure WebApplication using Azure AAD - OpenID Connect
how to call a secure WebAPI from WebApplication - client_credentials/code_credentials
how to call a secure WebAPI from SPA-App - implict_grant


App Registration in Azure Active Directory (AAD v1.0)



Application type

Web app / API

This is suitable for the application which requires or secured by "client secret key". Anyone/application which backed by AAD has this "Client Secret" can get authenticated and communication to configured API.

Native

This will be used whenever you run this application under user context ()or while publishing your apps for a Public domain. AAD provides an iFrame to authenticate and send back the access token to the replay URL that should match with AAD pre-configured reply URL.

What is Application and Delegated Permissions in AAD

Application Permissions

- Used to access secure endpoint without user context.
- Used to access secure endpoint with ‘Client Secret’ token with 1 (or) 2 Years (or) Never expiry.
- Since there is no user context this requires admin consent.
- It's recommended to be used in trustable when you own/maintain the consuming application and its deployment (i.e. web application, WebAPI). Hence 'Client Secret' is available only for “WebAPI/WebApp” type in AAD App registration. 

Delegated Permissions

- Used to access secure endpoint with user context.
- Mostly given for Native applications (i.e. Native Desktop clients & Mobile application) where it’s hosted and deployed on a different platform (or) not-trust able (or) public deployment zone.

How to provide API access to registered AAD v1.0 App

We can choose and provide permission for our AAD app, potentially access secure endpoints via this app.







When to Grant Admin Permission in AAD v1.0 App Registration

App required admin consent based on the permission you choose in access blade.


Notice: Grant admin permission is not required for "Require Admin - NO" permissions.


-Ratsub

Comments

  1. Very informative blog post. Thanks for sharing all helpful steps. Here you can find more detailed information on Secure endpoint.

    ReplyDelete

Post a Comment

Enter your comments..

Popular posts from this blog

Secure When a HTTP request is received Power Automate a.k.a MS Flow

People picker Control in PowerApps

Upload attachment to SharePoint list item using Microsoft Flow

Approval and auto escalation with time out in Microsoft Flow

Modern page provisioning using page template

Headless-Daemon calling AAD secured API

Developing custom reusable components in PowerApps

HTML field & Date Time formatting in powerapps

Create and configure custom connectors for PowerApps and MSFlow from AzureFunctions