This guide provides a step-by-step tutorial on creating an application in Azure Entra ID and configuring the necessary permissions.
First, sign in to the Azure portal and navigate to Microsoft Entra ID under the Manage section.
In the left sidebar, navigate to App registrations.
Navigate to the App registrations page, where you can view all existing applications, including those you have created. Click New registration, enter a Name for your application, and proceed with the registration.
After registering the application, you will be redirected to the application overview page, where you can find the Client ID and Tenant ID. Now, navigate to the API permissions section.
The application requires specific permissions to function properly. There are two types of permissions:
- Delegated permissions – Used when the application acts on behalf of a signed-in user (requires user authentication).
- Application permissions – Used when the application runs without user interaction, such as with client-secret authentication (required for scheduled tasks).
Please add both Delegated and Application permissions to ensure full functionality.
|
Name |
Type |
Description |
|
AuditLog.Read.All |
Delegated |
Read audit log data |
|
AuditLog.Read.All |
Application |
Read all audit log data |
|
AuditLogsQuery-Entra.Read.All |
Delegated |
Read audit logs data from Entra (Azure AD) workload |
|
AuditLogsQuery-Entra.Read.All |
Application |
Read audit logs data from Entra (Azure AD) workload |
|
AuditLogsQuery.Read.All |
Delegated |
Read audit logs data from all services |
|
AuditLogsQuery.Read.All |
Application |
Read audit logs data from all services |
|
Contacts.ReadWrite |
Delegated |
Have full access to user contacts |
|
Contacts.ReadWrite |
Application |
Have full access to user contacts |
|
Directory.AccessAsUser.All |
Delegated |
Access directory as the signed in user |
|
Directory.Read.All |
Delegated |
Read directory data |
|
Directory.Read.All |
Application |
Read directory data |
|
Directory.ReadWrite.All |
Delegated |
Read and write directory data |
|
Directory.ReadWrite.All |
Application |
Read and write directory data |
|
Group.Create |
Application |
Create groups |
|
Group.Read.All |
Application |
Read all groups |
|
Group.Read.All |
Delegated |
Read all groups |
|
Group.ReadWrite.All |
Application |
Read and write all groups |
|
Group.ReadWrite.All |
Delegated |
Read and write all groups |
|
ProfilePhoto.Read.All |
Delegated |
Read profile photo of a user or group |
|
ProfilePhoto.Read.All |
Application |
Read profile photo of a user or group |
|
ProfilePhoto.ReadWrite.All |
Delegated |
Read and write profile photo of a user or group |
|
ProfilePhoto.ReadWrite.All |
Application |
Read and write profile photo of a user or group |
|
User.EnableDisableAccount.All |
Delegated |
Enable and disable user accounts |
|
User.EnableDisableAccount.All |
Application |
Enable and disable user accounts |
|
User.Export.All |
Delegated |
Export user’s data |
|
User.Export.All |
Application |
Export user’s data |
|
User.ManageIdentities.All |
Delegated |
Manage user identities |
|
User.ManageIdentities.All |
Application |
Manage all users’ identities |
|
User.Read |
Delegated |
Sign in and read user profile |
|
User.Read.All |
Delegated |
Read all users’ full profiles |
|
User.Read.All |
Application |
Read all users’ full profiles |
|
User.ReadBasic.All |
Delegated |
Read all users’ basic profiles |
|
User.ReadBasic.All |
Application |
Read all users’ basic profiles |
|
User.ReadWrite |
Delegated |
Read and write access to user profile |
|
User.ReadWrite.All |
Delegated |
Read and write all users’ full profiles |
|
User.ReadWrite.All |
Application |
Read and write all users’ full profiles |
All the listed permissions are essential for the correct operation of the application. Please ensure that you add each of them in the API permissions section. Click “Add a permission”, then select Microsoft Graph to view all available permissions for Microsoft Graph.
Some permissions require administrator consent for approval. These permissions can be granted by an administrator by clicking the “Grant admin consent” button in the API permissions section.
Now, you can use the created application with Client (Application) ID and Tenant (Directory) ID. However, to complete the setup, you also need to configure a client secret for your application.
- In the left sidebar menu, navigate to Certificates & secrets.
- Click “New client secret” to generate a new secret.
Enter a description for the client secret, select an expiration date, and then click “Add” to generate the secret.
Copy the client secret value and store it securely, as it will no longer be visible after you leave or refresh the page. Make sure to save it immediately after creation.
Configure Redirect URI for Entra ID App Registration.
- Open Azure Portal – Go to https://portal.azure.com and sign in with an admin account.
- Navigate to App Registrations:
– Go to Azure Entra ID;
– In the left menu, click App registrations;
– Click “Owned applications” or “All applications”;
– Select your application (match by Client ID or Name); - Open the Authentication Blade – In the selected app’s menu, click Authentication.
- Add Redirect URI:
– Under Platform configurations, click “Add a platform”;
– Choose Mobile and desktop applications;
– In the list of recommended redirect URIs, check (or add) “https://login.microsoftonline.com/common/oauth2/nativeclient”; - Save the Configuration – Click Save at the top of the page.
That’s it – your application is now set up. You can proceed with integrating it into your application and testing its functionality!