Tutorial / Cram Notes

There are two types of application objects in Azure AD:

  • Azure AD application object: Represents the definition of your application within your directory.
  • Service Principal object: Represents an instance of the application within a directory or a tenant.

When you register an application in Azure AD, it creates both an application object and a service principal that facilitates the actual permissions and security requirements.

Registering an Application in Azure AD

  1. Sign in to the Azure Portal: Navigate to the Azure portal and sign in with your administrative account.
  2. Navigate to Azure AD: Find and select Azure Active Directory from the left-hand navigation.
  3. Register the application:
    • Go to the “App registrations” area.
    • Click on “New registration”.
    • Fill in the “Name” of the application.
    • Select the appropriate “Supported account types”.
    • Optionally, you may enter a “Redirect URI” if your application is a web app/API requiring a return URL after authentication.
  4. Get Application (client) ID: After registration, the Azure portal will provide an Application (client) ID. It uniquely identifies your application in the Microsoft identity platform.
  5. Generate a Secret or a Certificate: Under “Certificates & secrets”, you can generate a client secret or upload a certificate which will be used to authenticate the app with Azure AD.

Configuring Application Permissions

  1. API Permissions:
    • Inside the application registration, go to “API permissions”.
    • Click “Add a permission” to select Microsoft APIs (like Microsoft Graph), or APIs from your own organization.
    • Determine the type of permissions your application needs: delegated (on behalf of a user) or application (without a signed-in user).
  2. Granting Admin Consent:
    • Some permissions require an admin to grant consent for all users in the tenant.
    • Click “Grant admin consent for [Tenant Name]” to provide this consent.

Redirect URIs and Token Configuration

  • Redirect URIs: If your app is a web application, you need to specify the redirect URIs. These are endpoints to which Azure AD will return security tokens after authenticating users.
  • Token Configuration: You can also add optional claims to your tokens under the “Token configuration” to include specific user or application information in the tokens.

Authentication and Authorization Flow Examples

For a web application using OAuth 2.0 authorization code flow:

  1. Application redirects the user to Azure AD’s OAuth 2.0 login URL with the Application ID and Redirect URI as parameters.
  2. User signs in and consents to required permissions.
  3. Azure AD redirects back to the application with an authorization code.
  4. Application exchanges the authorization code for an access token.

For a daemon or server-side application using client credentials flow:

  1. Application uses the Application (client) ID and client secret/certificate to request an access token from Azure AD’s token endpoint.
  2. Azure AD validates the credentials and returns an access token.

Consent Framework

The Azure AD consent framework helps users and administrators control what data applications have access to.

  • User Consent: For apps that require user sign-in, a prompted consent dialog allows users to approve access.
  • Admin Consent: For applications that require access to data but do not require a signed-in user, or for high-privilege permissions, only admins can grant access.

Endpoints

There are two endpoint types that Azure AD utilizes:

  • v1.0 endpoint: Supports only Azure AD work and school accounts.
  • v2.0 endpoint: Supports work and school accounts, as well as personal Microsoft accounts (such as Outlook and Xbox).

Registered applications can use endpoints to generate authentication and token requests.

Conclusion

Registering applications in Azure Active Directory enables organizations to manage and secure access to their digital estate. By carefully configuring application registration, permissions, and consent, organizations facilitate a controlled environment that both protects sensitive information and allows users to engage with the applications they need. Whether it’s for internal purposes or serving external clients, Azure AD application registration is the foundation upon which modern authentication and authorization practices are built.

Practice Test with Explanation

To register an application in Azure AD, you need to be assigned the Global Administrator role.

  • True
  • False

Answer: False

Explanation: Users don’t need to be a Global Administrator to register an application in Azure AD. A user with sufficient permissions like Application Administrator or Cloud Application Administrator, or a user with the right delegated permissions can register applications.

What type of application should you register in Azure AD if you need to authenticate users for a background service or daemon without user interaction?

  • Web application
  • Public client (native) application
  • Resource owner password
  • Single-page application

Answer: Public client (native) application

Explanation: Public client applications are used when you need to authenticate without interactive user login, which is typical for background services and daemons.

Microsoft 365 applications can be registered in Azure AD only through the Azure portal.

  • True
  • False

Answer: False

Explanation: Applications can be registered in Azure AD through multiple platforms, including the Azure portal, PowerShell, and the Microsoft Graph API.

Which of the following are required to register an application in Azure AD? (Select two)

  • Application ID URI
  • Name
  • Redirect URI
  • Subscription ID

Answer: Name, Redirect URI

Explanation: When registering an application in Azure AD, you need to give it a Name and at least one Redirect URI to handle login responses.

The Application ID in Azure AD is globally unique.

  • True
  • False

Answer: True

Explanation: The Application ID, also known as the Client ID, is a globally unique identifier assigned by Azure AD.

The OAuth 0 authorization code grant flow is suitable for single-page applications.

  • True
  • False

Answer: False

Explanation: The Authorization Code Flow with PKCE (Proof Key for Code Exchange) is recommended for single-page applications, not the standard authorization code grant flow, which does not cater to the security requirements of SPAs.

When configuring permissions for an Azure AD application, what is the difference between delegated permissions and application permissions?

  • Delegated permissions require user sign-in, application permissions do not
  • Application permissions require admin consent, delegated permissions do not
  • Delegated permissions allow the app to act as itself, application permissions allow the app to act on behalf of a user
  • No difference, they are interchangeable

Answer: Delegated permissions require user sign-in, application permissions do not

Explanation: Delegated permissions are used when an app acts on behalf of a user, whereas application permissions are used by apps that run without a signed-in user present (e.g., background services).

In Azure AD, a client secret is required for all application registrations.

  • True
  • False

Answer: False

Explanation: A client secret is not required for all application registrations. For instance, native or mobile applications do not typically use client secrets, as they could not be securely stored within the app.

Who can grant consent for delegated permissions in Azure AD?

  • Only the Global Administrator
  • Any Azure AD user
  • Any user with administrative rights
  • It depends on the permissions requested and the Azure AD settings

Answer: It depends on the permissions requested and the Azure AD settings

Explanation: Granting consent for delegated permissions depends on the type of permissions requested and the tenant’s settings. Some permissions require admin consent, while others can be consented to by individual users.

Azure AD Application Proxy can be used to securely publish on-premises applications for remote access.

  • True
  • False

Answer: True

Explanation: Azure AD Application Proxy is a feature that allows organizations to securely publish their on-premises applications for remote access through Azure AD.

Conditional access policies applied to an Azure AD registered application are enforced only when accessing the application from outside the corporate network.

  • True
  • False

Answer: False

Explanation: Conditional access policies can be configured to apply to users and scenarios both inside and outside the corporate network based on the conditions set by the IT administrator.

Scope-based access control in Azure AD allows you to define permissions that are specific to the resources that an application needs to access.

  • True
  • False

Answer: True

Explanation: Scope-based access control is used in OAuth 0 to specify the exact permissions that an application may acquire on behalf of a user or as a service. It helps to limit permissions to only what is necessary for the application’s function.

Interview Questions

What is Azure AD App registration?

Azure AD App registration is the process of creating an application in Azure Active Directory (AD) to enable users to authenticate with the application and access its resources.

What is the first step to register an app in Azure AD?

The first step to register an app in Azure AD is to create a new app registration in the Azure portal.

What is the purpose of an app registration in Azure AD?

The purpose of an app registration in Azure AD is to create an identity for your application and to provide a way for users to authenticate with the application.

What is the significance of adding redirect URIs while registering an app in Azure AD?

Adding redirect URIs during app registration is significant because they are the endpoints to which Azure AD will send the authorization code or access token after a successful user authentication.

What are the different authentication types that an app registration supports in Azure AD?

The different authentication types that an app registration supports in Azure AD are web app/API, native, and single-page application.

What is the difference between a client secret and a certificate in Azure AD app registration?

A client secret is a simple string that the application shares with Azure AD for authentication, while a certificate is a digital document that serves as an application’s credentials.

What is the App ID URI in Azure AD app registration?

The App ID URI is the unique identifier for an application in Azure AD. It identifies the resources that an application needs to access.

What is a tenant in Azure AD app registration?

A tenant is a dedicated instance of the Azure AD directory service for an organization or enterprise. It is also the security and administrative boundary for all objects within it, including users, groups, and applications.

Can we edit an Azure AD app registration after creating it?

Yes, we can edit an Azure AD app registration after creating it by going to the Azure portal and making the necessary changes to the app registration.

How do we delete an Azure AD app registration?

We can delete an Azure AD app registration by going to the app registration’s overview page and clicking on the “Delete” button.

How do we authenticate with an Azure AD app after registering it?

To authenticate with an Azure AD app after registering it, we need to obtain an access token by authenticating with Azure AD using one of the supported authentication protocols.

What is the “API permissions” section in Azure AD app registration?

The “API permissions” section in Azure AD app registration is where we define the permissions that the application requires to access protected resources.

Can we restrict access to an Azure AD app registration by IP address?

Yes, we can restrict access to an Azure AD app registration by IP address using conditional access policies.

What is the significance of adding owners to an Azure AD app registration?

Adding owners to an Azure AD app registration is significant because they have full control over the app registration, including the ability to manage access to the app and edit its properties.

How do we assign users or groups to an Azure AD app registration?

We can assign users or groups to an Azure AD app registration by going to the app registration’s “API permissions” section, clicking on “Add a permission,” selecting the appropriate permission type, and then selecting the users or groups to assign the permission to.

0 0 votes
Article Rating
Subscribe
Notify of
guest
11 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Misty Curtis
1 year ago

Great blog post on configuring application registration in Azure AD! This was really helpful for my MS-100 exam prep.

Minttu Kujala
1 year ago

Can someone explain the significance of redirect URIs in application registration?

Francisco Marín
1 year ago

Very useful content! Helped me understand the registration process better.

Pamela Arce
1 year ago

What permissions should I set for a single-page application (SPA) registered in Azure AD?

Ayşe Erginsoy
1 year ago

Thanks! This clarified a lot of my doubts about application registration.

Valtteri Lehtola
1 year ago

What’s the difference between application and delegated permissions?

Naziha Theunisse
9 months ago

The blog post really helped me through the application registration setup.

Nadiy Mashkovskiy
2 years ago

I had trouble with granting admin consent. Any advice?

11
0
Would love your thoughts, please comment.x
()
x