Tutorial / Cram Notes
There are two types of application objects in Azure AD:
- Azure AD application object: Represents the definition of your application within your directory.
- Service Principal object: Represents an instance of the application within a directory or a tenant.
When you register an application in Azure AD, it creates both an application object and a service principal that facilitates the actual permissions and security requirements.
Registering an Application in Azure AD
- Sign in to the Azure Portal: Navigate to the Azure portal and sign in with your administrative account.
- Navigate to Azure AD: Find and select Azure Active Directory from the left-hand navigation.
- Register the application:
- Go to the “App registrations” area.
- Click on “New registration”.
- Fill in the “Name” of the application.
- Select the appropriate “Supported account types”.
- Optionally, you may enter a “Redirect URI” if your application is a web app/API requiring a return URL after authentication.
- Get Application (client) ID: After registration, the Azure portal will provide an Application (client) ID. It uniquely identifies your application in the Microsoft identity platform.
- Generate a Secret or a Certificate: Under “Certificates & secrets”, you can generate a client secret or upload a certificate which will be used to authenticate the app with Azure AD.
Configuring Application Permissions
- API Permissions:
- Inside the application registration, go to “API permissions”.
- Click “Add a permission” to select Microsoft APIs (like Microsoft Graph), or APIs from your own organization.
- Determine the type of permissions your application needs: delegated (on behalf of a user) or application (without a signed-in user).
- Granting Admin Consent:
- Some permissions require an admin to grant consent for all users in the tenant.
- Click “Grant admin consent for [Tenant Name]” to provide this consent.
Redirect URIs and Token Configuration
- Redirect URIs: If your app is a web application, you need to specify the redirect URIs. These are endpoints to which Azure AD will return security tokens after authenticating users.
- Token Configuration: You can also add optional claims to your tokens under the “Token configuration” to include specific user or application information in the tokens.
Authentication and Authorization Flow Examples
For a web application using OAuth 2.0 authorization code flow:
- Application redirects the user to Azure AD’s OAuth 2.0 login URL with the Application ID and Redirect URI as parameters.
- User signs in and consents to required permissions.
- Azure AD redirects back to the application with an authorization code.
- Application exchanges the authorization code for an access token.
For a daemon or server-side application using client credentials flow:
- Application uses the Application (client) ID and client secret/certificate to request an access token from Azure AD’s token endpoint.
- Azure AD validates the credentials and returns an access token.
Consent Framework
The Azure AD consent framework helps users and administrators control what data applications have access to.
- User Consent: For apps that require user sign-in, a prompted consent dialog allows users to approve access.
- Admin Consent: For applications that require access to data but do not require a signed-in user, or for high-privilege permissions, only admins can grant access.
Endpoints
There are two endpoint types that Azure AD utilizes:
- v1.0 endpoint: Supports only Azure AD work and school accounts.
- v2.0 endpoint: Supports work and school accounts, as well as personal Microsoft accounts (such as Outlook and Xbox).
Registered applications can use endpoints to generate authentication and token requests.
Conclusion
Registering applications in Azure Active Directory enables organizations to manage and secure access to their digital estate. By carefully configuring application registration, permissions, and consent, organizations facilitate a controlled environment that both protects sensitive information and allows users to engage with the applications they need. Whether it’s for internal purposes or serving external clients, Azure AD application registration is the foundation upon which modern authentication and authorization practices are built.
Practice Test with Explanation
To register an application in Azure AD, you need to be assigned the Global Administrator role.
- True
- False
Answer: False
Explanation: Users don’t need to be a Global Administrator to register an application in Azure AD. A user with sufficient permissions like Application Administrator or Cloud Application Administrator, or a user with the right delegated permissions can register applications.
What type of application should you register in Azure AD if you need to authenticate users for a background service or daemon without user interaction?
- Web application
- Public client (native) application
- Resource owner password
- Single-page application
Answer: Public client (native) application
Explanation: Public client applications are used when you need to authenticate without interactive user login, which is typical for background services and daemons.
Microsoft 365 applications can be registered in Azure AD only through the Azure portal.
- True
- False
Answer: False
Explanation: Applications can be registered in Azure AD through multiple platforms, including the Azure portal, PowerShell, and the Microsoft Graph API.
Which of the following are required to register an application in Azure AD? (Select two)
- Application ID URI
- Name
- Redirect URI
- Subscription ID
Answer: Name, Redirect URI
Explanation: When registering an application in Azure AD, you need to give it a Name and at least one Redirect URI to handle login responses.
The Application ID in Azure AD is globally unique.
- True
- False
Answer: True
Explanation: The Application ID, also known as the Client ID, is a globally unique identifier assigned by Azure AD.
The OAuth 0 authorization code grant flow is suitable for single-page applications.
- True
- False
Answer: False
Explanation: The Authorization Code Flow with PKCE (Proof Key for Code Exchange) is recommended for single-page applications, not the standard authorization code grant flow, which does not cater to the security requirements of SPAs.
When configuring permissions for an Azure AD application, what is the difference between delegated permissions and application permissions?
- Delegated permissions require user sign-in, application permissions do not
- Application permissions require admin consent, delegated permissions do not
- Delegated permissions allow the app to act as itself, application permissions allow the app to act on behalf of a user
- No difference, they are interchangeable
Answer: Delegated permissions require user sign-in, application permissions do not
Explanation: Delegated permissions are used when an app acts on behalf of a user, whereas application permissions are used by apps that run without a signed-in user present (e.g., background services).
In Azure AD, a client secret is required for all application registrations.
- True
- False
Answer: False
Explanation: A client secret is not required for all application registrations. For instance, native or mobile applications do not typically use client secrets, as they could not be securely stored within the app.
Who can grant consent for delegated permissions in Azure AD?
- Only the Global Administrator
- Any Azure AD user
- Any user with administrative rights
- It depends on the permissions requested and the Azure AD settings
Answer: It depends on the permissions requested and the Azure AD settings
Explanation: Granting consent for delegated permissions depends on the type of permissions requested and the tenant’s settings. Some permissions require admin consent, while others can be consented to by individual users.
Azure AD Application Proxy can be used to securely publish on-premises applications for remote access.
- True
- False
Answer: True
Explanation: Azure AD Application Proxy is a feature that allows organizations to securely publish their on-premises applications for remote access through Azure AD.
Conditional access policies applied to an Azure AD registered application are enforced only when accessing the application from outside the corporate network.
- True
- False
Answer: False
Explanation: Conditional access policies can be configured to apply to users and scenarios both inside and outside the corporate network based on the conditions set by the IT administrator.
Scope-based access control in Azure AD allows you to define permissions that are specific to the resources that an application needs to access.
- True
- False
Answer: True
Explanation: Scope-based access control is used in OAuth 0 to specify the exact permissions that an application may acquire on behalf of a user or as a service. It helps to limit permissions to only what is necessary for the application’s function.
Interview Questions
What is Azure AD App registration?
Azure AD App registration is the process of creating an application in Azure Active Directory (AD) to enable users to authenticate with the application and access its resources.
What is the first step to register an app in Azure AD?
The first step to register an app in Azure AD is to create a new app registration in the Azure portal.
What is the purpose of an app registration in Azure AD?
The purpose of an app registration in Azure AD is to create an identity for your application and to provide a way for users to authenticate with the application.
What is the significance of adding redirect URIs while registering an app in Azure AD?
Adding redirect URIs during app registration is significant because they are the endpoints to which Azure AD will send the authorization code or access token after a successful user authentication.
What are the different authentication types that an app registration supports in Azure AD?
The different authentication types that an app registration supports in Azure AD are web app/API, native, and single-page application.
What is the difference between a client secret and a certificate in Azure AD app registration?
A client secret is a simple string that the application shares with Azure AD for authentication, while a certificate is a digital document that serves as an application’s credentials.
What is the App ID URI in Azure AD app registration?
The App ID URI is the unique identifier for an application in Azure AD. It identifies the resources that an application needs to access.
What is a tenant in Azure AD app registration?
A tenant is a dedicated instance of the Azure AD directory service for an organization or enterprise. It is also the security and administrative boundary for all objects within it, including users, groups, and applications.
Can we edit an Azure AD app registration after creating it?
Yes, we can edit an Azure AD app registration after creating it by going to the Azure portal and making the necessary changes to the app registration.
How do we delete an Azure AD app registration?
We can delete an Azure AD app registration by going to the app registration’s overview page and clicking on the “Delete” button.
How do we authenticate with an Azure AD app after registering it?
To authenticate with an Azure AD app after registering it, we need to obtain an access token by authenticating with Azure AD using one of the supported authentication protocols.
What is the “API permissions” section in Azure AD app registration?
The “API permissions” section in Azure AD app registration is where we define the permissions that the application requires to access protected resources.
Can we restrict access to an Azure AD app registration by IP address?
Yes, we can restrict access to an Azure AD app registration by IP address using conditional access policies.
What is the significance of adding owners to an Azure AD app registration?
Adding owners to an Azure AD app registration is significant because they have full control over the app registration, including the ability to manage access to the app and edit its properties.
How do we assign users or groups to an Azure AD app registration?
We can assign users or groups to an Azure AD app registration by going to the app registration’s “API permissions” section, clicking on “Add a permission,” selecting the appropriate permission type, and then selecting the users or groups to assign the permission to.
Great blog post on configuring application registration in Azure AD! This was really helpful for my MS-100 exam prep.
Can someone explain the significance of redirect URIs in application registration?
Very useful content! Helped me understand the registration process better.
What permissions should I set for a single-page application (SPA) registered in Azure AD?
Thanks! This clarified a lot of my doubts about application registration.
What’s the difference between application and delegated permissions?
The blog post really helped me through the application registration setup.
I had trouble with granting admin consent. Any advice?