Summary: How to register an Azure Enterprise App for Graph.
Date: Around 2022
Refactor: 20 February 2025: Checked links and formatting.

I found in the last couple of years multiple uses for Graph, and slowly also Microsoft is moving to Graph for more and more authentication automation. I also found that the interface and procedure changes very fast, I register an Azure Enterprise App once every few months or so and I don't think I've ever done in exactly the same way as before. Because of that, it does take more time than I counted on, so I wanted to make a single page to collect all information, or directly link to other pages as examples.

To register an Azure Enterprise App, follow the following steps:

• In the azure portal, go to Azure Active Directory and click on “App Registrations” under the Manage section
• You see the already registered apps, so click on “+ New registration” to start configuring a new one.
  • Setup a name, this is just the display name so make it descriptive
  • Supported account types: Depends on your needs, but for me it's always “Accounts in this organizational directory only”
  • Redirect URI: Web: http://localhost
    • Note: this is optional now, next time, test with leaving this one empty
• Click Register to save the registration.

After the registration you'll see the overview of the registered app. Note the Application ID, you'll need it to identify the registered application.

Note that the Application ID is also sometimes referred to as the Client ID.

To configure a secret, from the registered application overview, follow the following steps:

• Go to “Certificates & secrets”
• Under the Client Secrets section, click “+ New client secret”
  • Provide a description and configure when the secret will expire. In the past you could create a secret that would never expire, but now it has a maximum duration of 2 years
• Click add to create the secret.

Once done, you'll see the value. Note the value, as this is the only time you'll be presented with it.

Note that the Client secret is also sometimes referred to as the application password or the secret passphrase.

The registered App needs permissions todo what you are going to use it for. Depending on what you are going to use it for, you need to assign permissions on a delegated user level or application level, or both. To assign permissions, from the registered application overview, follow the following steps:

• Go to API permissions
• Click “+ Add a permission”
  • Select your API, which depends on what you're going to do, but the Microsoft Graph is the one I use the most
  • Now select the type of permission, Application permissions is always a good one
  • Now select the actual permission, Directory.Read.All is always a good one
  • Click “Add permissions” to add the permissions
• Now notice the following things:
  • The permission is added to the list of configured permissions
  • The permission has a property of “Admin consent required” that is set to yes or no
  • The permission has a property of “Status” that is set to “Not granted for <name of tenant>
• Click on “Grant admin consent for <tenant>” next to Add a permission to actually grant the permissions.

Note that if you forget to grant the admin consent (a typical mistake) you can run into various errors and warnings depending on your IDE/Interface you're working with.

Now all we need to know is the primary domain configured for the tenant. In the azure portal, go back to the Azure Active Directory overview, and follow these steps:

• Go to Custom domain names
• Identify the Name that is configured as the Primary domain name, this is the tenant name.

Here I try to list all the documentation, howto's and such where I've used an Azure Enterprise Application: