This comprehensive technical report details the essential process of registering an application within Microsoft Entra ID (formerly Azure Active Directory). This registration is a crucial first step for any application aiming to securely interact with Microsoft 365 services, particularly Intune, through the powerful Microsoft Graph API. Whether you’re an IT professional, developer, or administrator, this guide will equip you with the knowledge to successfully configure your applications for seamless integration.
By following these step-by-step instructions, you will learn how to properly register your application, assign the necessary API permissions (specifically for reading and writing to SharePoint sites), and grant the required admin consent, ensuring your application operates securely and effectively within your organisational directory.
Understanding Application Registration in Microsoft Entra ID
Before diving into the steps, it’s important to grasp the foundational concepts:
- What is Microsoft Entra ID? Microsoft Entra ID is Microsoft’s cloud-based identity and access management service. It helps your employees sign in and access both internal and external resources, acting as the central hub for managing user identities and application access within an organisation. It’s the modern evolution of Azure Active Directory.
- Why Register an App? Registering an application in Entra ID is paramount for security and proper authorisation. It establishes a secure identity for your application, allowing it to authenticate with Microsoft services and obtain permissions to access specific resources on behalf of a user or itself. Without proper registration, your application cannot securely interact with the Graph API.
- Key Concepts:
- Client ID (Application ID): A unique identifier for your application within Entra ID. It’s used when your application requests authentication tokens.
- Tenant ID (Directory ID): A unique identifier for your Microsoft Entra ID instance (your organisation’s directory).
- Redirect URI: The URL where Entra ID will send the authentication response after a user has logged in and granted consent. For desktop or testing purposes,
http://localhostis often used. - API Permissions: Define what resources and operations your application is allowed to access within Microsoft Graph (e.g., reading user profiles, writing to SharePoint sites).
Step-by-Step Guide: Registering Your Microsoft Graph API App in Entra ID
Follow these instructions meticulously to register your application.
Register the Microsoft Graph API App in Entra ID
To call Microsoft Graph securely, register an app in Microsoft Entra ID (formerly Azure AD).
Sign into Microsoft Entra ID
Go to https://entra.microsoft.com and log in with a Global Admin account.
Navigate to App Registrations
- Navigate to: Identity> Applications >App Registration
- Click New Application
Register a New Application
- Fill in:
- Name (App Name):
e.g SharePointDocCopyApp - Supported account types: “Accounts in this organisational directory only”
- Redirect URI:
http://localhost(can be adjusted later)
- Name (App Name):
- Click Register
Configuring Microsoft Graph API Permissions for the Registered APP
- Go to: API permissions > Add a permission > Microsoft Graph
- Select Application permissions
- Add:
Sites.Read.AllSites.ReadWrite.All
- Click Add permissions
Granting Admin Consent
After adding the permissions, you will return to the “API permissions” page for your application. You will notice that the status for Sites.Read.All and Sites.ReadWrite.All will show “Not granted for [Your Tenant Name].” Because these are application permissions, they require an administrator to explicitly grant consent for the entire organisation. Click on the “Grant admin consent for [Your Tenant Name]” button
- A confirmation pop-up will appear, asking if you want to grant consent for the requested permissions. Review the permissions carefully and, if acceptable, click “Yes.”
- Upon successful consent, the page will refresh. Verify that the “Status” column for both
Sites.Read.AllandSites.ReadWrite.Allnow displays “Granted for [Your Tenant Name].” This confirms that your application has been authorized to access SharePoint sites with the specified permissions.
Next Steps and Best Practices
With your application successfully registered and permissions granted, here are the crucial next steps and security best practices:
- Retrieving Client ID (Application ID) and Tenant ID (Directory ID): These unique identifiers are essential for your application to authenticate. You can find them on the application’s “Overview” page in Entra ID (the first page you see after registering your app).
- Client Secrets/Certificates: For secure authentication in production environments, your application will need a client secret or a certificate. You can generate these in the “Certificates & secrets” section of your app registration. Always store client secrets securely and never embed them directly in code.
- Implementing Graph API Calls: To interact with the Microsoft Graph API from your application, you will typically use a Microsoft Authentication Library (MSAL) suitable for your programming language (e.g., MSAL.NET, MSAL.js, MSAL Python). These libraries handle the complexities of token acquisition and management.
- Security Best Practices:
- Least Privilege Principle: Always grant only the minimum necessary permissions to your application. Avoid granting
ReadWrite.AllifRead.Allsuffices for a task. - Securely Store Client Secrets: Treat client secrets like passwords. Use environment variables, Azure Key Vault, or other secure storage solutions.
- Regularly Review Granted Permissions: Periodically audit the permissions granted to your applications in Entra ID to ensure they are still necessary and appropriate.
- Monitor Sign-in Logs: Utilise Entra ID’s sign-in logs to monitor your application’s authentication attempts and identify any suspicious activity.
- Least Privilege Principle: Always grant only the minimum necessary permissions to your application. Avoid granting
Conclusion
Successfully registering an application in Microsoft Entra ID and configuring its permissions is a foundational step for unlocking the vast capabilities of the Microsoft Graph API. By following the detailed instructions in this report, you have learned how to provide your application with the necessary access to Microsoft Graph API features, ensuring secure and efficient integration with Microsoft 365 services. Remember to adhere to security best practices, such as the principle of least privilege and secure secret management, to maintain the integrity of your applications and data. Continue to explore the extensive functionalities of the Microsoft Graph API to enhance your organisation’s workflows and integrations.
