Active Directory & Office 365 Reporting Tool

How to Create Azure AD Application Registration (Step by Step). Are you looking to use Azure Active Directory for your app’s authentication and authorization? Well, then create a registration for the application in Azure AD.

Registering an application in Azure AD utilizes Azure AD’s robust and enterprise grade authorization to enable Single Sign-on for Azure users. By using Azure AD’s authorization, you ensure that your application is secure and only accessible to authorized users.

Moreover, with Single Sign on, you make it easier and more convenient for your users to access your application.

This guide shows you 3 methods for registering an application in Azure Active Directory. We cover how to do this using the Azure Portal, Windows PowerShell, and Azure AD CLI.

Let’s dive in!

How to Create Azure AD Application Registration from Azure Portal

This section shows how to register an application in the Azure Active Directory Portal. Specifically, I register a WordPress site.

Once I finish, my Azure AD users sign into the WordPress website using their Azure Active Directory account.

Register the Application on Azure AD Portal

1. Sign in to portal.azure.com with an Azure account with the right permission to register applications. 
2. Then, on the Azure Portal homepage, search “azure active directory” and open it. 

3. Next, on the menu options at the left pane of the page (Manage section), click App registration.

4. On the top left of the App Registration page, click + New registration. Clicking that opens the Register an application page.  

5. Enter the name of the application. Then, select the “Supported account types,” and specify a “Redirect URI.”

When registering your application, it’s important to use a name that’s easy to identify. For my example, I have used “WordPress Site – wp.blogsandbox.co.uk”

Now, regarding the “Supported account types,” you have 4 options. Option 1 – “Accounts in this organizational directory only” -for members of your Azure tenant to be able to sign in to the application.

On the other hand, if you want to allow users from other Microsoft Azure AD tenants to sign in, go for option 2 – “Accounts in any organizational directory.”

As for the “Redirect URI,” select the type of application from the drop-down. Then,  specify the URL for Azure AD to redirect users after authenticating them.

This step is crucial to ensure a seamless user experience. In my application, I selected “Web” and am specifying “https://wp.blogsandbox.co.uk/wp-admin/” as the “Redirect URI.”

6. Next, click Register.

Once you’ve registered your application, Azure AD displays the application and additional actions you can take. Do not click any link on the page. 

In the following sub-section, you configure the necessary permissions for your application.

Configure Permissions for the Application on Azure Active Directory Portal

Configuring the permissions is crucial for controlling what resources the application accesses and what actions it performs. 

1. To edit the application, click its name. 

2. Next, on the left pane of the application page, click the API permissions. Then, click the + Add a permission button – see 2 screenshot below. 

The “Request API permissions” screen opens in a flyout. 

3. On the “Request API permissions” flyout, select Microsoft API that grants access to your application. For my WordPress site registration example, I choose Microsoft Graph in the list of Commonly used Microsoft APIs category.

4. On the next flyout, select Delegated permissions. Then, set the permissions you require on the list of available permissions that follows. 

For my website app registration, I check email, offline_access, openid, and profile

When you finish selecting the permission you require Azure AD to grant the application, click Add permission.

5. For my specific app registration requirement, I want to avoid users having to consent separately, I consent on their behalf by clicking Grant admin consent for…

Next, respond Yes on the confirmation pop-up. 

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Configure App Authentication and Secret on Azure AD Portal

Depending on the type of application you’re creating on Azure AD, you may need to allow the application to request tokens directly from the endpoint. Furthermore, you need to create an app secret. 

1. On the app menu, click Authentication. Then, scroll down to the “Implicit grant and hybrid flows” section and check the following checkboxes: Access tokens (used for implicit flows), and ID tokens (used for implicit and hybrid flows)

Click the Save

2. Finally, create an app secret by navigating to Certificates and secrets, then, clicking the + New client secret button.

5. On the “Add a client secret” flyout, add a suitable description for the client secret; then, click the Expires drop-down to select how long the client secret should be valid. 

When you finish, click the Add button. 

After creating the secret for the app, you must copy it, as it only shows once on this screen. 

So, you must copy your app’s client secret ID immediately. To copy the secret ID, click the copy icon next to Value of the client’s secret ID (highlighted in the screenshot below). 

For your app to communicate with Azure AD, you need the Application ID, Application secret, and Directory ID. You already have the Application secret.

To get the Application and Directory IDs, navigate to the app’s Overview menu. Then, enter your application’s Azure AD Application ID, secret, and Directory (tenant) ID

After you have finished creating your application to Azure AD, make sure to test it to ensure it works. On the logon page, you should see a “Sign in with Microsoft” button displayed.

How to Create Azure AD Application Registration Using Windows PowerShell

Registering an application in Azure AD using Windows PowerShell requires 4 steps.

Firstly, install the AzureAD PowerShell module if you haven’t already done so.

Then, sign in to your Azure tenant and create the application. This involves providing basic information about the application, such as its name and the redirect URI.

Following, the next step is to grant it the necessary permissions. This determines what actions the application performs within your Azure tenant.

Finally, configure the application’s authentication settings and secret keys to ensure that it securely authenticates users via Azure Active Directory.

Sign in to Azure AD and Create the Application Using PowerShell

You need your Azure tenant login email, password and the name and Redirect URI of the application you want to register, to complete the steps in this subsection.

1. Follow the steps in our article – How to Connect to Azure AD using PowerShell to install the AzureAD module and connect to your Azure tenant. 
2. Once connected, create your new application using the New-AzureADApplication command.

Replace “WordPress Site (via PowerShell)” with your new application’s name, and “https://wp.blogsandbox.co.uk/wp-admin/” with your app’s Redirect URI.

					New-AzureADApplication -DisplayName "WordPress Site (via PowerShell)" -ReplyUrls "https://wp.blogsandbox.co.uk/wp-admin/"

If the command successfully creates the new Azure AD application, it displays some info about it. Copy ObjectId and AppId as you require them later in this guide. 

Configure Permissions for the Application Using PowerShell

To continue with the process, we need to grant the necessary API permissions to the application. For demonstration purposes, I have registered a WordPress site as my Azure AD application, and now I show you how to grant the app required API permissions.

So, I use Microsoft Graph API to delegate email, offline_access, openid, and profile permissions to my applications. You must determine the Microsoft Graph API permissions you want to delegate to your Azure AD application. 

Run the commands below in PowerShell ISE

1. Get the Service Principal for the Microsoft Graph API and save the result in the $MSGraph variable. 

					$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }

2. Next, get the GUIDs of Microsoft Graph API delegated permissions you want to grant your application. Replace email, offline_access, openid, and profile with the names of the Microsoft Graph API permissions. 

					$MSGraph.Oauth2Permissions | where-object {($_.Value -eq "email") -or ($_.Value -eq "offline_access") -or ($_.Value -eq "openid") -or ($_.Value -eq "profile")} | Format-Table ID, Value

Note the Ids returned by the above command – these are the GUIDs of the GUIDs of Microsoft Graph API. 

3. Get the object ID of the Azure Active Directory application for which you want to grant API permission by running the following PowerShell command:

Replace “WordPress Site (via PowerShell)” with the name of the app you created. 

					$app = Get-AzureADApplication -Filter "displayName eq 'WordPress Site (via PowerShell)'"
$appId = $app.ObjectId

4. Create a Resource Access resource object and assign the service principal’s App ID to it.

					$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId

5. Create a set of delegated permissions using the IDs returned by the command in step 2. 

					$profile_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "14dad69e-099b-42c9-810b-d002981feec1","Scope"
$offline_access_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope"
$openid_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "37f7f235-527c-4136-accd-4a02d197296e","Scope"
$email_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0","Scope"
$Graph.ResourceAccess = $profile_perm, $offline_access_perm, $openid_perm, $email_perm

6. Finally, assign the API permission to your application by setting the above resource access object to your application ObjectId. Including the parameter, Oauth2AllowImplicitFlow and specifying $true configures the application to request OAuth2.0 implicit flow tokens. 

This checks the “Access tokens” checkbox in the application’s Authentication setting. See the screenshot below. 

					Set-AzureADApplication -ObjectId $appId -RequiredResourceAccess $Graph -Oauth2AllowImplicitFlow $true

Configure Azure AD Application Secret Using PowerShell

The final step is to set the app’s secret. 

1. Set the app’s secret key start and end dates – used to determine the secret key’s expiry

					$startDate = Get-Date
$endDate = $startDate.AddDays(180)

2. Add a client’s secret to the Azure AD app. The command adds the secret key and displays its details. Copy the Value.

					New-AzureADApplicationPasswordCredential -ObjectId $appId -CustomKeyIdentifier "WordPress Site 2 secret" -StartDate $startDate -EndDate $endDate

Finally, you require the Azure AD app’s details to allow your app to communicate with the app—specifically, Application ID, Application secret, and Directory ID. You already have the Application secret from the command in step 2 above. 

To display the app’s ID, and Directory (Azure Tenant ID), run the commands below:

					Get-AzureADApplication -ObjectId $appId | Select-Object appid

Enter the Azure AD app details into your app and test. 

How to Create Azure AD Application Registration Using Azure AD CLI

Also use the Azure AD CLI command line to register and configure applications in Azure Active Directory. In the first sub-section below, we start by registering an application with Azure AD CLI. 

Register an Azure AD Application with Azure AD CLI

1. Install the Azure AD CLI if you haven’t already. Then, to sign in to your Azure AD tenant, open Command Prompt as admin and run this command:

					az login

The command opens the Azure AD sign in page via your default browser. Enter your email address and password to sign in as usual. 

After receiving a sign-in confirmation on your browser, return to the command prompt to continue. Your command prompt displays information about your Azure tenant. 

2. Create a new Azure AD application by running this command. Change the display name of the app to your preferred name. 

					az ad app create --display-name "WordPress Site (Azure CLI)" 

3. Define the necessary variables you need to configure the app. 

					appregname="WordPress Site (Azure CLI)"

After registering the application with the above command, assign the application API permissions and create a client secret key using the steps in this Microsoft guide – Register a client application using CLI and REST API

How to Create Azure AD Application Registration (Step by Step) Conclusion

In conclusion, creating an Azure AD application registration is accomplished using several methods, each with its own benefits and limitations. The 1 one we covered involves using the Azure portal, which provides a user-friendly interface for creating and managing Azure Active Directory applications.

The 2 involves using Windows PowerShell, a powerful scripting tool allowing greater flexibility and automation in application registration. Finally, the Azure AD CLI provides a command-line interface for managing Azure AD resources, including application registration.

Regardless of the method used, it is essential to carefully consider the permissions and access levels given to the application registration, as this determines the application’s capabilities within your organization’s Azure tenant. Finally, creating Azure AD application registration is a straightforward process that enhances your organization’s security and productivity.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *