= Register Azure Enterprise App for Graph = **Summary**: How to register an Azure Enterprise App for Graph. \\ **Date**: Around 2022 \\ **Refactor**: 20 February 2025: Checked links and formatting. \\ {{tag>azure entraid}} I found in the last couple of years multiple uses for Graph, and slowly also Microsoft is moving to Graph for more and more authentication automation. I also found that the interface and procedure changes very fast, I register an Azure Enterprise App once every few months or so and I don't think I've ever done in exactly the same way as before. Because of that, it does take more time than I counted on, so I wanted to make a single page to collect all information, or directly link to other pages as examples. = App Registrations = To register an Azure Enterprise App, follow the following steps: * In the [[https://portal.azure.com |azure portal]], go to Azure Active Directory and click on "App Registrations" under the Manage section * You see the already registered apps, so click on "+ New registration" to start configuring a new one. * Setup a name, this is just the display name so make it descriptive * Supported account types: Depends on your needs, but for me it's always "Accounts in this organizational directory only" * Redirect URI: Web: http://localhost * **Note: this is optional now, next time, test with leaving this one empty** * Click Register to save the registration. After the registration you'll see the overview of the registered app. Note the Application ID, you'll need it to identify the registered application. > Note that the Application ID is also sometimes referred to as the Client ID. = Client Secret = To configure a secret, from the registered application overview, follow the following steps: * Go to "Certificates & secrets" * Under the Client Secrets section, click "+ New client secret" * Provide a description and configure when the secret will expire. In the past you could create a secret that would never expire, but now it has a maximum duration of 2 years * Click add to create the secret. Once done, you'll see the value. Note the value, as this is the only time you'll be presented with it. > Note that the Client secret is also sometimes referred to as the application password or the secret passphrase. = Assign Permissions = The registered App needs permissions todo what you are going to use it for. Depending on what you are going to use it for, you need to assign permissions on a delegated user level or application level, or both. To assign permissions, from the registered application overview, follow the following steps: * Go to API permissions * Click "+ Add a permission" * Select your API, which depends on what you're going to do, but the Microsoft Graph is the one I use the most * Now select the type of permission, Application permissions is always a good one * Now select the actual permission, Directory.Read.All is always a good one * Click "Add permissions" to add the permissions * Now notice the following things: * The permission is added to the list of configured permissions * The permission has a property of "Admin consent required" that is set to yes or no * The permission has a property of "Status" that is set to "Not granted for * Click on "Grant admin consent for " next to Add a permission to actually grant the permissions. > Note that if you forget to grant the admin consent (a typical mistake) you can run into various errors and warnings depending on your IDE/Interface you're working with. = Tenant Domain = Now all we need to know is the primary domain configured for the tenant. In the azure portal, go back to the Azure Active Directory overview, and follow these steps: * Go to Custom domain names * Identify the Name that is configured as the Primary domain name, this is the tenant name. = Using the Azure Enterprise App = Here I try to list all the documentation, howto's and such where I've used an Azure Enterprise Application: ^ Link ^ API Used ^ Purpose and Remarks ^ | [[https://marketplace.visualstudio.com/items?itemName=GetShifting.GraphEmail |Azure DevOps Extension - Send email through Graph]] | Microsoft Graph | An Azure DevOps extension that uses MS Graph to send out emails when a SMTP server is not available. | | [[office365status]] | Microsoft Graph and Office 365 Management | Use a powerhell script to retrieve the health status of office 365 (and visualize that with PowerBI) | | [[tfsmaintenancebuild]] | Microsoft Graph | Use a powershell script to monitor an isolated environment and mail out monitoring messages using graph | | [[federatedloginforaws]] | None | Use Azure Active Directory accounts to log in to the AWS Console | | [[manageteammembership]] | Microsoft Graph | Use a powershell script in Azure DevOps Server to add users to a Microsoft Team based on an AD security group |