Source from repo
entra-app-registration

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
81.4 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
SKILL.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown192 linesEntrypointFree
SKILL.md
1---
2name: entra-app-registration
3description: "Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance."
4license: MIT
5metadata:
6  author: Microsoft
7  version: "1.1.1"
8---
9 
10## Overview
11 
12Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. App registrations allow applications to authenticate users and access Azure resources securely.
13 
14### Key Concepts
15 
16| Concept | Description |
17|---------|-------------|
18| **App Registration** | Configuration that allows an app to use Microsoft identity platform |
19| **Application (Client) ID** | Unique identifier for your application |
20| **Tenant ID** | Unique identifier for your Azure AD tenant/directory |
21| **Client Secret** | Password for the application (confidential clients only) |
22| **Redirect URI** | URL where authentication responses are sent |
23| **API Permissions** | Access scopes your app requests |
24| **Service Principal** | Identity created in your tenant when you register an app |
25 
26### Application Types
27 
28| Type | Use Case |
29|------|----------|
30| **Web Application** | Server-side apps, APIs |
31| **Single Page App (SPA)** | JavaScript/React/Angular apps |
32| **Mobile/Native App** | Desktop, mobile apps |
33| **Daemon/Service** | Background services, APIs |
34 
35## Core Workflow
36 
37### Step 1: Register the Application
38 
39Create an app registration in the Azure portal or using Azure CLI.
40 
41**Portal Method:**
421. Navigate to Azure Portal → Microsoft Entra ID → App registrations
432. Click "New registration"
443. Provide name, supported account types, and redirect URI
454. Click "Register"
46 
47**CLI Method:** See [references/cli-commands.md](references/cli-commands.md)
48**IaC Method:** See [references/BICEP-EXAMPLE.bicep](references/BICEP-EXAMPLE.bicep)
49 
50It's highly recommended to use the IaC to manage Entra app registration if you already use IaC in your project, need a scalable solution for managing lots of app registrations or need fine-grained audit history of the configuration changes. 
51 
52### Step 2: Configure Authentication
53 
54Set up authentication settings based on your application type.
55 
56- **Web Apps**: Add redirect URIs, enable ID tokens if needed
57- **SPAs**: Add redirect URIs, enable implicit grant flow if necessary
58- **Mobile/Desktop**: Use `http://localhost` or custom URI scheme
59- **Services**: No redirect URI needed for client credentials flow
60 
61### Step 3: Configure API Permissions
62 
63Grant your application permission to access Microsoft APIs or your own APIs.
64 
65**Common Microsoft Graph Permissions:**
66- `User.Read` - Read user profile
67- `User.ReadWrite.All` - Read and write all users
68- `Directory.Read.All` - Read directory data
69- `Mail.Send` - Send mail as a user
70 
71**Details:** See [references/api-permissions.md](references/api-permissions.md)
72 
73### Step 4: Create Client Credentials (if needed)
74 
75For confidential client applications (web apps, services), create a client secret, certificate or federated identity credential.
76 
77**Client Secret:**
78- Navigate to "Certificates & secrets"
79- Create new client secret
80- Copy the value immediately (only shown once)
81- Store securely (Key Vault recommended)
82 
83**Certificate:** For production environments, use certificates instead of secrets for enhanced security. Upload certificate via "Certificates & secrets" section.
84 
85**Federated Identity Credential:** For dynamically authenticating the confidential client to Entra platform.
86 
87### Step 5: Implement OAuth Flow
88 
89Integrate the OAuth flow into your application code.
90 
91**See:**
92- [references/oauth-flows.md](references/oauth-flows.md) - OAuth 2.0 flow details
93- [references/console-app-example.md](references/console-app-example.md) - Console app implementation
94 
95## Common Patterns
96 
97### Pattern 1: First-Time App Registration
98 
99Walk user through their first app registration step-by-step.
100 
101**Required Information:**
102- Application name
103- Application type (web, SPA, mobile, service)
104- Redirect URIs (if applicable)
105- Required permissions
106 
107**Script:** See [references/first-app-registration.md](references/first-app-registration.md)
108 
109### Pattern 2: Console Application with User Authentication
110 
111Create a .NET/Python/Node.js console app that authenticates users.
112 
113**Required Information:**
114- Programming language (C#, Python, JavaScript, etc.)
115- Authentication library (MSAL recommended)
116- Required permissions
117 
118**Example:** See [references/console-app-example.md](references/console-app-example.md)
119 
120### Pattern 3: Service-to-Service Authentication
121 
122Set up daemon/service authentication without user interaction.
123 
124**Required Information:**
125- Service/app name
126- Target API/resource
127- Whether to use secret or certificate
128 
129**Implementation:** Use Client Credentials flow (see [references/oauth-flows.md#client-credentials-flow](references/oauth-flows.md#client-credentials-flow))
130 
131## MCP Tools and CLI
132 
133### Azure CLI Commands
134 
135| Command | Purpose |
136|---------|---------|
137| `az ad app create` | Create new app registration |
138| `az ad app list` | List app registrations |
139| `az ad app show` | Show app details |
140| `az ad app permission add` | Add API permission |
141| `az ad app credential reset` | Generate new client secret |
142| `az ad sp create` | Create service principal |
143 
144**Complete reference:** See [references/cli-commands.md](references/cli-commands.md)
145 
146### Microsoft Authentication Library (MSAL)
147 
148MSAL is the recommended library for integrating Microsoft identity platform.
149 
150**Supported Languages:**
151- .NET/C# - `Microsoft.Identity.Client`
152- JavaScript/TypeScript - `@azure/msal-browser`, `@azure/msal-node`
153- Python - `msal`
154 
155**Examples:** See [references/console-app-example.md](references/console-app-example.md)
156 
157## Security Best Practices
158 
159| Practice | Recommendation |
160|----------|---------------|
161| **Never hardcode secrets** | Use environment variables, Azure Key Vault, or managed identity |
162| **Rotate secrets regularly** | Set expiration, automate rotation |
163| **Use certificates over secrets** | More secure for production |
164| **Least privilege permissions** | Request only required API permissions |
165| **Enable MFA** | Require multi-factor authentication for users |
166| **Use managed identity** | For Azure-hosted apps, avoid secrets entirely |
167| **Validate tokens** | Always validate issuer, audience, expiration |
168| **Use HTTPS only** | All redirect URIs must use HTTPS (except localhost) |
169| **Monitor sign-ins** | Use Entra ID sign-in logs for anomaly detection |
170 
171## SDK Quick References
172 
173- **Azure Identity**: [Python](references/sdk/azure-identity-py.md) | [.NET](references/sdk/azure-identity-dotnet.md) | [TypeScript](references/sdk/azure-identity-ts.md) | [Java](references/sdk/azure-identity-java.md) | [Rust](references/sdk/azure-identity-rust.md)
174- **Key Vault (secrets)**: [Python](references/sdk/azure-keyvault-py.md) | [TypeScript](references/sdk/azure-keyvault-secrets-ts.md)
175- **Auth Events**: [.NET](references/sdk/microsoft-azure-webjobs-extensions-authentication-events-dotnet.md)
176 
177## References
178 
179- [OAuth Flows](references/oauth-flows.md) - Detailed OAuth 2.0 flow explanations
180- [CLI Commands](references/cli-commands.md) - Azure CLI reference for app registrations
181- [Console App Example](references/console-app-example.md) - Complete working examples
182- [First App Registration](references/first-app-registration.md) - Step-by-step guide for beginners
183- [API Permissions](references/api-permissions.md) - Understanding and configuring permissions
184- [Troubleshooting](references/troubleshooting.md) - Common issues and solutions
185 
186## External Resources
187 
188- [Microsoft Identity Platform Documentation](https://learn.microsoft.com/entra/identity-platform/)
189- [OAuth 2.0 and OpenID Connect protocols](https://learn.microsoft.com/entra/identity-platform/v2-protocols)
190- [MSAL Documentation](https://learn.microsoft.com/entra/msal/)
191- [Microsoft Graph API](https://learn.microsoft.com/graph/)
192
Preparing the source view

entra-app-registration

SKILL.md
