Configure Azure App Registration Permissions for Microsoft 365

To configure Azure App Registration Permissions for Microsoft 365, you need to grant the necessary permissions to your app. This includes Delegated permissions, which allow your app to act on behalf of a user, and Application permissions, which allow your app to act as itself.

Delegated permissions are granted to users, while Application permissions are granted to the app itself. You can add permissions by selecting the "Add a permission" button and searching for the desired permission.

When selecting permissions, consider the scope of the permission, which can be Application, Delegated, or Directory. The scope determines what the app can do, such as read-only or read-write access.

For example, the "Mail.Read" permission allows your app to read email messages, while the "Mail.Send" permission allows your app to send email messages.

To create an Azure App Registration, sign in to the Microsoft Entra admin center and ensure you're accessing the correct tenant. Click Identity > Applications > App registrations, and then click New registration. In the Register an application panel, enter a meaningful application name and select the type of app you're building.

You'll need to provide the redirect URI (or reply URL) for your application, depending on whether it's a web or public client (mobile & desktop) app. Click Register to complete the registration process.

Here's a summary of the required information:

Before you start making changes to your Azure app registration, you'll need to meet some prerequisites.

You'll need two sets of privileges to proceed: the ability to add permissions to an app registration and the ability to grant those permissions to the app registration.

A user with the Privileged Role Administrator role can do both tasks. This is because they have the necessary permissions to both add and grant permissions.

Users with the Application Administrator or Cloud Application Administrator role can only add permissions, not grant them.

To separate tasks and enforce least privilege access, consider assigning the task of adding permissions to one user and the task of granting permissions to another.

You'll also need to sign in to an API client like Graph Explorer to run the necessary HTTP requests.

The app used to make these changes must be granted the Application.ReadWrite.All permission.

Here are the specific roles mentioned in the article:

To create a registration, you'll need to sign in to the Microsoft Entra admin center. This is where you'll access the app registration portal.

You can access the app registration portal by clicking Identity > Applications > App registrations. Once you're there, click New registration.

In the Register an application panel, enter a meaningful application name and select the supported account types. You'll also need to enter the redirect URI for your application, which will depend on the type of app you're building.

Here are the steps to register an application:

Note that the required information includes a meaningful application name, supported account types, and redirect URI.

An administrator can grant consent for your app to act on behalf of any user in the tenant.

To request consent for delegated permissions for all users in a tenant, your app can use the admin consent endpoint. This allows the organization's users not to see a consent page for the application.

The admin consent endpoint is a dedicated endpoint you can use to proactively request that an administrator grants permission on behalf of the entire tenant.

Microsoft identity platform will detect the user's role and ask them if they would like to consent on behalf of the entire tenant for the permissions you have requested when a Company Administrator uses your application and is directed to the authorize endpoint.

You can request consent for an entire tenant by sending a request like the following: The scope parameter is a space-separated list of delegated permissions that the app is requesting.

Microsoft Graph API is a powerful tool for Azure app registration, allowing you to configure Azure AD Graph permissions with ease. You can use the Microsoft Graph applications API to configure Azure AD Graph permissions as described in the steps outlined below.

To start, you need to identify the Azure AD Graph permissions your app requires, their permission IDs, and whether they're app roles or oauth2PermissionScopes. For more information, see Azure AD Graph permissions reference. Azure AD Graph is identified as a servicePrincipal object with 00000002-0000-0000-c000-000000000000 as its globally unique appId and Windows Azure Active Directory as its displayName and appDisplayName.

You can retrieve the service principal object for Azure AD Graph in your tenant by running a request. The Microsoft Graph application object includes a requiredResourceAccess property that is a collection of objects with information about the resource API and permissions.

If you're using Microsoft Graph and any related SDKs, you can grant permissions to an app registration without the need to use the Microsoft Entra admin center. For more information, see Grant or revoke API permissions programmatically.

Here are the three methods you can use to configure Azure AD Graph permissions for an app registration:

Note that any app using Azure AD Graph will still stop functioning after the API is retired. For more information, see Migrate Azure AD Graph apps to Microsoft Graph.

To update the manifest on the Microsoft Entra admin center, sign in to the admin center and expand the Identity menu. From there, select Applications and then App registrations. Choose the app you want to add Azure AD Graph permissions to.

You'll need to select Manifest to open up an editor that allows you to directly edit the attributes of the app registration object. Be careful when editing the requiredResourceAccess property in the app's manifest. You can edit the manifest on the Microsoft Entra admin center or download it locally to edit, and then upload it back to your application.

To add Azure AD Graph permissions, you'll need to add the resourceAppId property and assign the value 00000002-0000-0000-c000-000000000000 representing Azure AD Graph. Then, add the resourceAccess property and configure the permissions. The following JSON snippet shows an example of the requiredResourceAccess property with Azure AD Graph as the resource, and assigned the User.Read and Application.Read.All oauth2PermissionScope (delegated permission) and appRole (application permission) respectively.

Assign Key Vault permissions to your Azure app registration by following these steps.

You'll need to grant Azure Key Vault permissions to enable compliance policy assessments in your environment.

There are two methods to grant these permissions: Vault access policy and Azure role-based access control.

Azure role-based access control is the recommended method, as it provides more fine-grained control over permissions.

Using Vault access policy grants Lacework FortiCNAPP access to read the necessary metadata required for compliance policy assessments.

This will not grant Lacework FortiCNAPP access to read the contents of Keys or Secrets, as this is not required.

Here are the two methods to grant Azure Key Vault permissions:

As an AD Administrator, you need to grant permissions to your app registration to access various resources. To do this, you'll need to follow a series of steps, starting with logging into Azure as an AD Administrator for the subscription involved.

Click the [App registrations] button to open the "App Registrations" blade, as shown in Fig. 4. From there, you can navigate to the "API permissions" blade by clicking the [API permissions] button in the left menu.

To grant permissions, you'll need to click the [Add a permission] button to display the "Request API permissions" dialogue. This is where you can filter the permission request to Microsoft Graph permission types by clicking the "Microsoft Graph" button.

You can then select the permissions to grant to an account via this Application Registration by expanding a category and selecting the permissions. For example, selecting the "User.ReadAll" permission would allow an account to Read all users' information in the Active Directory.

To save selected permission changes, click the [Add permissions] button. The Configured Permissions list will then display with the added permission.

However, some permissions, like "User.Read.All", require admin consent before they can take effect. To grant admin consent, click the [Grant admin consent] button and confirm the action.

Alternatively, you can request permissions from your organization's admin by redirecting the user to the Microsoft identity platform admin consent endpoint.

To create a new application registration, go to Azure AD service -> App registrations > New registration and enter a meaningful application name, select the supported account types, and enter the redirect URI (or reply URL) for your application.

If your app still requires Azure AD Graph permissions, you can configure them using one of three methods: using the Microsoft Entra admin center, updating the application manifest, or using the Microsoft Graph applications API.