Microsoft Azure Integration - Create an Entra ID Application with API Permissions

Last modified on 2024/02/26 13:04

IntegrationMicrosoftAzureAD_ConstantlyEvolving

   Microsoft Azure is constantly evolving. As such, some of the screens shown in the procedures below may be different from the ones in the final interface.

Client applications may need to authenticate to use a third-party product or access an API.

Some of the authentication mechanisms require you to first create an application and register it on the Azure portal, then grant it permissions. This integration details step by step all the actions you need to perform to create an Entra ID application with permissions.

Use cases

  • The Technical Support Agent (AST) accesses the Microsoft email server using the Microsoft Graph Mail API (OAuth 2.0 modern authentication).
    Permissions must be given to allow the Technical Support Agent to consult emails using this API.
  • Microsoft Bookings is a solution for planning and managing business customer appointments using a shared calendar.
    Access to data is performed using the Microsoft Bookings API in Microsoft Graph and requires permissions to call the API. Open url.png See Microsoft Bookings integration.

Microsoft Azure - Definitions

  • Tenant
    • A tenant is a dedicated Azure environment that an organization owns and in which its Entra ID applications are stored.
    • This environment is identified in a unique way via an ID (Directory or Tenant ID).
    • Each organization can have multiple tenants.
  • Entra ID applications
    • An Entra ID application is an application registered on the Azure portal enabling the Microsoft platform to provide identity and access management services.
    • Each application is defined in a given tenant (Azure environment) and identified in a unique way via an ID (Client ID).
    • By default, an Entra ID application registered in a tenant is available to all tenant users who are able to authenticate. This Azure portal functionality is used to restrict access to a specific group of users in the tenant.
  • API permissions authorizing the Entra ID application to access API resources
    • Application permissions for CC (Client Credentials) mode. This enables a third-party product to authenticate using its own credentials without any user interaction or consent (access without user sign-in).
    • Delegated permissions for ROPC (Resource Owner Password Credentials) mode. This enables a third-party product to access the API via the consent granted by the user when signing in (access with user sign-in).

Integration Process

You create an Entra ID application with permissions in three main steps.

Step 1: Register an Entra ID application on the Microsoft Azure portal.

Step 2: Declare the users authorized to use the Entra ID application.

Step 3: Add permissions authorizing the Entra ID application to use an API.

Step-by-Step Integration Process

Prerequisites

Notes

  • You should save the IDs throughout the entire procedure. They will be required when configuring the use of the Entra ID application in the third-party product.

Register an Entra ID application on the Azure portal

RegisterApp_Procedure

Step 1: Access the Azure portal.

1. Log in to the Azure portal using your Azure account.

2. (optional) Select the relevant environment if you have multiple tenants.
 

Step 2: Register a new application on the Azure portal and retrieve the ID.

1. Search for the App registrations service in the list of Azure services or click the link below to access the service directly.
         Microsoft Azure: App registrations

The list of Entra ID applications previously registered on the Azure portal will appear.
         App registrations.png

2. Click + New registration.

The properties window will appear.
         App registration - Creation.png

3. Specify the information required for registering the application.

  • Name: Name of the application. Note: This name is not used by the third-party product.

Best Practice icon.png  Enter a meaningful name that will enable you to identify the application easily in the dashboard on the Azure portal.

  • Supported account types: Used to specify who can use the new application.
    • Select the option called Accounts in this organizational directory only. This means that only accounts in your organization will be able to access the application (multitenant or single tenant).

Best Practice icon.png  Select the option called Accounts in any organizational directory only if you want to provide the application to several organizations, e.g. as a SaaS service (multitenant).

  • Redirect URI: Type of application and redirect URI where the Azure portal should send security tokens after authentication.
    Note: For the Technical Support Agent (AST), select the type of application called Public client/Native.

4. Click Register.

  • The Entra ID application will be created and registered on the Azure portal.
  • Its IDs will be displayed.
    App registration - App with IDs created.png

5. Retrieve the IDs required for configuring your third-party product.

  • Hover over the relevant ID and click Copy icon.png to copy it.
    • ID of the new Entra ID application: Application (client) ID value
    • Tenant ID: Directory (tenant) ID) value
  • You can paste it in a text editor for later use.
    or
  • You can go directly to your third-party product and paste it in the relevant ID field.

Step 3: Create and retrieve the client secret of the Entra ID application.

Prerequisite Check that the new Entra ID application is declared as a private client.

  • Select Authentication in the left pane.
  • Check that the value in Advanced settings > Treat application as a public client is No.

1. Select Certificates & secrets in the left pane and click + New client secret.
Certificates and secrets - Creation.png

The properties window will appear.
Certificates and secrets - Properties.png

2. Specify the information required for creating the client secret.

  • Description: Description of the client secret. Note: The default value will be used if you do not specify this field.
  • Expires: Select the validity end date for the client secret.

Best Practice icon.png  Select Never to avoid renewing the client secret as well as the risk of forgetting to do so.

3. Click Add.

  • The client secret will be generated.
  • Its value will be displayed.
    Certificates and secrets - Secret client created.png

4. Retrieve the client secret required for configuring your third-party product.

   The value of the new client secret can be retrieved only during this step. Once you move on to the next step, the client secret will be hidden using the * character. If you lose the client secret, you must regenerate a new one.

  • Click Copy icon.png to copy the client secret from the Value field in the Client Secrets section.
  • You can paste it in a text editor for later use.
    or
  • You can go directly to your third-party product and paste it in the relevant field.
EndRegisterApp_Procedure

Declare the users authorized to use the Entra ID application

Note: By default, the new Entra ID application is available to all tenant users who are able to authenticate.

example  Technical Support Agent ==>  Declare the email address of the user authorized to access the Technical Support Agent inbox. This is the one specified in the Login field in the Technical Support Agent window.
         User management - Add user - Add assignment - AST example.png

Step 1: Enable user assignment for the Entra ID application.

1. Select Overview in the left pane and click the name of your Entra ID application in Essentials > Managed application in local directory.
         User management - Managed application in local directory option.png

A window displaying the application's local properties will appear.

2. Select Properties in the left pane.

          User management - Managed application in local directory properties.png

3. Select Yes in the User assignment required? field.

4. Click Save.

          User management - User assignment required property.png
 

Step 2: Declare the users authorized to use the Entra ID application.

1. Select Users and groups in the left pane and click + Add User.
         User management - Add user.png

  • The window for adding an assignment will appear.
  • The list of users declared for the tenant will appear.
    User management - Add user - Add assignment.png

2. Select the users authorized to use the application and click Select.

The users will appear in the Selected Items list found at the bottom of the window.

Best Practice icon.png  Use the search field to find the relevant users.

3. Click Assign.

The list of users and groups authorized to use the Entra ID application will be refreshed.
         User management - Add user - Assignment added.png

Add permissions authorizing the Entra ID application to use an API

API permissions are required in order to authorize the Entra ID application to access API resources. Microsoft offers a list of APIs whose configuration will depend on whether it is application permissions (CC mode) or delegated permissions (ROPC mode).

Note: The Microsoft Graph Mail API is the one used by the Technical Support Agent for accessing inboxes via the Microsoft email server. This API can also be used for other purposes.
    Open url.png See:

Step 1: Select the API to be used by the Entra ID application.

1. Select API permissions in the left pane, then click + Add a permission.

The list of APIs whose permission can be requested will appear.
         API permissions - Creation.png

2. Select the API you want.

example  Technical Support Agent ==> Microsoft Graph Mail API

API permissions - Selection MS Graph API.png

 

Step 2: Select the permissions.

   The type of permission depends on whether or not user sign-in is required.

example  

  • Type of permission for using the Microsoft Graph Mail API with the Technical Support Agent
    • Office 365 protocol: Delegated permissions only (ROPC mode)
    • Microsoft Graph protocol: Application permissions (CC mode) or delegated permissions (ROPC mode)
  • Type of permission for using the Microsoft Bookings API for accessing customer and business calendars. Open url.png See Microsoft Bookings integration.
    • Delegated permissions only

1. Select the type of permissions.

  • Application permissions for the CC mode.
             API permissions - Selection MS Graph API - Application permissions.png
  • Delegated permissions for the ROPC mode.
             API permissions - Selection MS Graph API - Delegated permissions.png

The list of permissions available for the selected API and type of permission will appear.
         API permissions - List.png

2. Select the relevant permissions.

example  

  • Permissions required for using the Microsoft Graph Mail API with the Technical Support Agent. Open url See List of permissions for the Microsoft Graph Mail API.
    • Office 365 protocol:
      • Only delegated permissions (ROPC mode)
      • User.Read, IMAP.AccessAsUser.All, offline.access
    • Microsoft Graph protocol:
      • Application permissions (CC mode) or delegated permissions (ROPC mode)
      • User.Read, Mail.ReadWrite, offline.access and optionally Mail.ReadWrite.Shared
  • Permissions required for using the Microsoft Bookings API for accessing customer and business calendars.
        Open url.png See Microsoft Bookings integration.

Best Practice icon.png  Use the search field to filter permissions.

3. Click Add permissions.

The list of permissions authorizing your Entra ID application to use the API by will be refreshed.
         API permissions - MS Graph with Application permission - Permission readwrite added.png
 

Step 4: Grant administrator consent for permissions.

1. Click Grant admin consent for <votre locataire>.

   The button will be grayed out if you do not have the relevant rights to perform the actions in this step. In this case, you should ask the administrator of your tenant to grant consent.

  • The list of permissions granted to your Entra ID application will be refreshed.
    API permissions - MS Graph with Application permission - API permissions granted.png
  • The third-party product can now obtain a token for accessing the API and for using API resources.

    example

AccountFreeCreation

How to create a free Azure account

1. Go to the Microsoft Azure website.

2. Click Start free.

          Microsoft Flow - Free account.png

3. Log in to your professional Microsoft account.
         Microsoft Flow - Login account.png

4. Enter the login information.
         Microsoft Flow - Account creation - Identification 1.png

5. Click Next.

6. Tick the I agree box.
         Microsoft Flow - Account creation - Identification 2.png

7. Click Sign up.

Tags:
Powered by XWiki © EasyVista 2024