Tutorial: Register and configure Android (Kotlin) mobile app

This tutorial series demonstrates how to build an Android (Kotlin) mobile app that authenticates using an external tenant. You register an app within the customer's tenant, create an Android (Kotlin) app, and you implement the sign-in, sign-out, and call a protected web API.

In this tutorial, you'll;

  • Register an application in customers tenant.
  • Add a Platform redirect URL
  • Enable public client flow.
  • Add delegated permission to Microsoft Graph

Prerequisites

Register an application

To enable your application to sign in users with Microsoft Entra, Microsoft Entra External ID must be made aware of the application you create. The app registration establishes a trust relationship between the app and Microsoft Entra. When you register an application, External ID generates a unique identifier known as an Application (client) ID, a value used to identify your app when creating authentication requests.

The following steps show you how to register your app in the Microsoft Entra admin center:

  1. Sign in to the Microsoft Entra admin center as at least an Application Developer.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

  3. Browse to Identity >Applications > App registrations.

  4. Select + New registration.

  5. In the Register an application page that appears;

    1. Enter a meaningful application Name that is displayed to users of the app, for example ciam-client-app.
    2. Under Supported account types, select Accounts in this organizational directory only.
  6. Select Register.

  7. The application's Overview pane displays upon successful registration. Record the Application (client) ID to be used in your application source code.

Add a platform redirect URL

To specify your app type to your app registration, follow these steps:

  1. Under Manage, select Authentication.
  2. On the Platform configurations page, select Add a platform, and then select Android option.
  3. Enter your project's Package Name. If you downloaded the sample code, this value is com.azuresamples.msaldelegatedandroidkotlinsampleapp.
  4. In the Signature hash section of the Configure your Android app pane, select Generating a development Signature Hash. This will change for each development environment. Copy and run the KeyTool command for your operating system in your Terminal.
  5. Enter the Signature hash generated by KeyTool.
  6. Select Configure.
  7. Copy the MSAL Configuration from the Android configuration pane and save it for later app configuration.
  8. Select Done.

Enable public client flow

To identify your app as a public client, follow these steps:

  1. Under Manage, select Authentication.

  2. Under Advanced settings, for Allow public client flows, select Yes.

  3. Select Save to save your changes.

Once you register your application, it gets assigned the User.Read permission. However, since the tenant is an external tenant, the customer users themselves can't consent to this permission. You as the admin must consent to this permission on behalf of all the users in the tenant:

  1. From the App registrations page, select the application that you created (such as ciam-client-app) to open its Overview page.

  2. Under Manage, select API permissions.

    1. Select Grant admin consent for <your tenant name>, then select Yes.
    2. Select Refresh, then verify that Granted for <your tenant name> appears under Status for the permission.

Next steps

Tutorial: Prepare your Android app for authentication.