Table of Contents
Register Azure Enterprise App for Graph
I found in the last couple of years multiple uses for Graph, and slowly also Microsoft is moving to Graph for more and more authentication automation. I also found that the interface and procedure changes very fast, I register an Azure Enterprise App once every few months or so and I don't think I've ever done in exactly the same way as before. Because of that, it does take more time than I counted on, so I wanted to make a single page to collect all information, or directly link to other pages as examples.
App Registrations
To register an Azure Enterprise App, follow the following steps:
- In the azure portal, go to Azure Active Directory and click on “App Registrations” under the Manage section
- You see the already registered apps, so click on “+ New registration” to start configuring a new one.
- Setup a name, this is just the display name so make it descriptive
- Supported account types: Depends on your needs, but for me it's always “Accounts in this organizational directory only”
- Redirect URI: Web: http://localhost
- Note: this is optional now, next time, test with leaving this one empty
- Click Register to save the registration.
After the registration you'll see the overview of the registered app. Note the Application ID, you'll need it to identify the registered application.
Note that the Application ID is also sometimes referred to as the Client ID.
Client Secret
To configure a secret, from the registered application overview, follow the following steps:
- Go to “Certificates & secrets”
- Under the Client Secrets section, click “+ New client secret”
- Provide a description and configure when the secret will expire. In the past you could create a secret that would never expire, but now it has a maximum duration of 2 years
- Click add to create the secret.
Once done, you'll see the value. Note the value, as this is the only time you'll be presented with it.
Note that the Client secret is also sometimes referred to as the application password or the secret passphrase.
Assign Permissions
The registered App needs permissions todo what you are going to use it for. Depending on what you are going to use it for, you need to assign permissions on a delegated user level or application level, or both. To assign permissions, from the registered application overview, follow the following steps:
- Go to API permissions
- Click “+ Add a permission”
- Select your API, which depends on what you're going to do, but the Microsoft Graph is the one I use the most
- Now select the type of permission, Application permissions is always a good one
- Now select the actual permission, Directory.Read.All is always a good one
- Click “Add permissions” to add the permissions
- Now notice the following things:
- The permission is added to the list of configured permissions
- The permission has a property of “Admin consent required” that is set to yes or no
- The permission has a property of “Status” that is set to “Not granted for <name of tenant>
- Click on “Grant admin consent for <tenant>” next to Add a permission to actually grant the permissions.
Note that if you forget to grant the admin consent (a typical mistake) you can run into various errors and warnings depending on your IDE/Interface you're working with.
Tenant Domain
Now all we need to know is the primary domain configured for the tenant. In the azure portal, go back to the Azure Active Directory overview, and follow these steps:
- Go to Custom domain names
- Identify the Name that is configured as the Primary domain name, this is the tenant name.
Using the Azure Enterprise App
Here I try to list all the documentation, howto's and such where I've used an Azure Enterprise Application:
Link | API Used | Purpose and Remarks |
---|---|---|
Azure DevOps Extension - Send email through Graph | Microsoft Graph | An Azure DevOps extension that uses MS Graph to send out emails when a SMTP server is not available. |
Office365 Health Status and Licenses | Microsoft Graph and Office 365 Management | Use a powerhell script to retrieve the health status of office 365 (and visualize that with PowerBI) |
TFS Maintenance Build | Microsoft Graph | Use a powershell script to monitor an isolated environment and mail out monitoring messages using graph |
Federated Login for AWS with Azure AD | None | Use Azure Active Directory accounts to log in to the AWS Console |
Manage MS Teams Membership | Microsoft Graph | Use a powershell script in Azure DevOps Server to add users to a Microsoft Team based on an AD security group |