Understanding Azure AD Application Registration and Management

Azure AD application registration is a crucial step in integrating your application with Azure Active Directory. You can register your application using the Azure portal, PowerShell, or CLI.

Azure AD application registration allows you to create a unique identity for your application, which enables users to authenticate and authorize access to your application.

To register an application, you need to provide a redirect URI, which is the URL that users will be redirected to after authentication.

You can also specify the permissions your application requires, such as read-only access to user data or the ability to create new users.

Readers also liked: How to Create a Group in Azure Ad

To set up an Azure AD application, you'll need to have admin privileges in Stitch and privileges in Azure AD that allow you to add, configure, and register applications.

You'll also need an Azure subscription or free trial account, which is required to create an Azure AD application registration directly from the Azure portal.

To manage Azure AD applications, you'll need to have adequate permissions in your Azure account, along with specific Azure AD roles.

Here are the Azure AD roles required for managing Azure AD applications:

To ensure a smooth setup process, make sure you have the necessary permissions and roles configured in your Azure AD tenant.

To create an Azure AD application, you'll need to sign into your Microsoft Azure account. Sign into your Microsoft Azure account.

You'll then need to navigate to the Azure Active Directory page, where you can verify you're in the correct tenant. If not, click Switch tenant and navigate to the correct tenant.

Next, click Manage > Enterprise applications in the left sidenav. On the page that displays, click + New application to open the Azure AD Gallery page.

Here's a step-by-step guide to creating the app:

It may take a few minutes for the app to be created. You'll be redirected to the app's Overview page once it's finished.

See what others are reading: Azure Application Registration

To configure the app's Single Sign-on method using SAML, you'll need to follow these steps:

To create and configure the app, you'll need an account with administrative permissions (AD Global Administrator) in your Microsoft 365 AD. You can use your Microsoft 365 tenant admin user to create and configure the app.

Here's a step-by-step guide to creating and configuring the app:

You'll also need to grant permissions to Microsoft Graph to the app created. To do this, select the “API permissions” option and in the new blade, click on the “Add permission” button, “Microsoft APIs” and “Microsoft Graph”. Then “Application permissions” and check the “Directory à Directory.Read.All – Read directory data”.

Intriguing read: Azure Active Directory Domain

A service principal object is a local representation of an application in a specific tenant, created from the application object. It defines what the app can do in the tenant, who can access the app, and what resources the app can access.

There are three types of service principals: Application, Managed identity, and Legacy. An Application service principal is created in each tenant where the application is used, while a Managed identity service principal is used to represent a managed identity, eliminating the need for developers to manage credentials.

A service principal object can be created using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools. You can use the Enterprise applications page in the Microsoft Entra admin center to list and manage service principals in a tenant.

If this caught your attention, see: Azure Managed Applications

A service principal object is a local representation of a global application object in a single tenant or directory. It's created in each tenant where the application is used, and references the globally unique app object.

There are three types of service principal: Application, Managed Identity, and Legacy. An Application service principal is the local representation of a global application object, and defines what the app can do in the specific tenant, who can access the app, and what resources the app can access.

A Managed Identity service principal is used to represent a managed identity, which eliminates the need for developers to manage credentials. A Legacy service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences.

Here are the key differences between the three types of service principal:

You can create a service principal in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools. The service principal object defines the access policy and permissions for the user/application in the Microsoft Entra tenant.

Setting the service principal keys is a crucial step in connecting your app to Microsoft Graph.

To set app keys to App Service, you'll need to configure the ADALRealm, ADALClientId, and ADALClientSecret values.

These values have already been obtained for the app to connect to Microsoft Graph.

You can find these values in the App Service settings under Configuration.

You might like: Azure Ad Graph Api

Here's a step-by-step guide to setting the app keys:

To test the connection to the Graph API, run the PowerShell script from the Install folder.

In Azure AD application, objects and principals play a crucial role in defining access and permissions. An object represents an application, while a principal represents the entity that requires access, such as a user or another application.

A service principal is a type of principal that defines the access policy and permissions for an application in a Microsoft Entra tenant. There are three types of service principal: Application, Managed identity, and Legacy.

An Application service principal is created automatically when an application is registered, and it defines what the app can do in the specific tenant, who can access the app, and what resources the app can access.

A Managed identity service principal is used to represent a managed identity, which eliminates the need for developers to manage credentials.

A Legacy service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences.

Here are the three types of service principal, summarized:

To set up SAML single sign-on in Azure AD, you'll first need to create and configure an Azure AD SAML app. This involves retrieving your SSO info from Stitch, creating the app in Azure AD, and configuring the app's Single Sign-on method using SAML.

You'll need to define the basic SAML configuration, including the Identifier and Reply URL. This is done by clicking Basic SAML Configuration > Edit on the app's Set up Single Sign-On with SAML page.

To configure the app's Single Sign-on method using SAML, you'll need to follow these steps:

To set up SAML single sign-on, you'll need to create and configure an Azure AD SAML app. This involves several steps, starting with retrieving your SSO info from Stitch.

You'll need to create the app in Azure AD and configure its Single Sign-on method using SAML. This includes defining the basic SAML configuration and user attributes and claims.

To define the basic SAML configuration, you'll need to fill in the required fields, which include the Entity ID and the Reply URL. You'll also need to download the app's federation metadata XML file.

Here's a step-by-step guide to defining the basic SAML configuration:

You'll be redirected back to the app's Set up Single Sign-On with SAML page.

To download the metadata XML file, you'll need to navigate to the Set up Single Sign-On with SAML page.

Scroll to the SAML Signing Certificate section, where you'll find the Federation Metadata XML field.

Click the Download link next to this field to retrieve the file.

Save the file somewhere handy, as you'll need it to complete the setup in Stitch.

This file is required to connect your Azure AD app with Stitch and enable SSO.

Note that downloading this file before completing previous steps will result in errors in Stitch.