Registering Custom Applications with Azure Active Directory

Published on: October 26, 2023 | By: The Azure Engineering Team

Integrating your custom applications with Azure Active Directory (Azure AD) is a crucial step for securing access, managing user identities, and enabling single sign-on (SSO). This guide will walk you through the process of registering your application in the Azure portal.

Why Register Your Application?

Registering an application in Azure AD makes it a recognized entity within your Azure AD tenant. This allows Azure AD to:

  • Issue security tokens (like OAuth 2.0 and OpenID Connect tokens) to your application.
  • Manage permissions and consent for users accessing your application.
  • Enforce authentication policies.
  • Provide auditing and logging for application access.

Steps to Register Your Application

1. Access the Azure Portal

Navigate to the Azure portal and sign in with your Azure AD administrator account.

2. Navigate to App Registrations

In the Azure portal, search for and select "Azure Active Directory". Then, under the "Manage" section in the left-hand menu, click on "App registrations".

![Azure Portal App Registrations](https://via.placeholder.com/600x300.png?text=Azure+Portal+Screenshot+of+App+Registrations)

Screenshot illustrating the "App registrations" section in Azure AD.

3. Create a New Application Registration

Click on the "+ New registration" button at the top of the App registrations page.

4. Configure Application Details

You will be presented with a form to configure your application:

  • Name: Provide a user-friendly name for your application (e.g., "MyCustomCRM", "InternalDashboard"). This name will be visible to users during the consent process.
  • Supported account types: Choose who can use your application.
    • "Accounts in this organizational directory only (Default Directory only - Single tenant)" is common for internal applications.
    • "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" allows users from other Azure AD tenants to access your app.
    • "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" and "All account types" offer broader access.
  • Redirect URI (optional): This is where Azure AD will send the authentication response after a user logs in.
    • For web applications, select "Web" and enter your application's callback URL (e.g., https://myapp.com/auth/callback).
    • For single-page applications (SPAs), select "Single-page application" and enter the redirect URI.
    • For mobile and desktop applications, you might use "Public client/native (mobile & desktop)" and specify a custom scheme URI (e.g., myapp://auth) or use platform-specific redirect URIs.
    You can add multiple redirect URIs later.

Click "Register" to create the application.

5. Application Overview

Once registered, you'll be taken to your application's overview page. Here you'll find crucial information:

  • Application (client) ID: A unique identifier for your application. You'll use this in your application's code.
  • Directory (tenant) ID: The ID of your Azure AD tenant.
  • Object (principal) ID: The unique ID for the application's service principal.

Keep these IDs secure and use them as required by your application's authentication library.

6. Configure Authentication (Redirect URIs and Implicit Flow)

Under the "Manage" section of your app registration, click on "Authentication". Here you can:

  • Add Redirect URIs: Add or modify the URIs where Azure AD should send responses.
  • Configure Implicit grant and hybrid flows: For SPAs or older web apps, you might need to enable specific token types (Access tokens, ID tokens) here. It's generally recommended to use Authorization Code Flow for web apps for better security.

7. Add Credentials (Secrets or Certificates)

For web applications or services that need to authenticate themselves to Azure AD, you'll need to create credentials. Under "Certificates & secrets":

  • New client secret: Create a secret key. Copy its value immediately as it will only be shown once.
  • New certificate: Upload a public certificate to authenticate your application.

Client secrets are easier to manage but less secure than certificates. Use certificates for production environments where possible.

8. Define API Permissions

If your application needs to access protected resources (like Microsoft Graph API or your own APIs), you must grant it the necessary permissions. Navigate to "API permissions":

  • Click "+ Add a permission".
  • Select the API you want to access (e.g., "Microsoft Graph").
  • Choose the type of permissions:
    • Delegated permissions: Used when your application acts on behalf of a signed-in user.
    • Application permissions: Used when your application runs as a background service without a signed-in user.
  • Select the specific permissions required and click "Add permissions".

For some permissions, an administrator might need to grant "Admin consent" for the organization.

Conclusion

Registering your custom application in Azure AD is the foundational step for modern identity and access management. By following these steps, you can begin securing your applications and leveraging the power of Azure AD for authentication and authorization.

Explore Next Steps