Register App as Client and Resource in Azure AD

asked 2022-12-27T21:00:29.57+00:00
Kumar 101 Reputation points

We are using Azure AD as our authorization provider. We have 3 applications, all registered in Azure AD.

ClientApp ---> API X (oAuth Enabled) ----> API Y (oAuth Enabled)

In the above use case API X is a

  • Resource that ClientApp needs to access and
  • Client that need to access API Y (Resource).

The question is on the best practice on how to register APIX in Azure AD.

Should we have a single App Registration for APIX that acts as a Resource and a Client or
Should we have 2 different App Registrations for APIX, one to represent the Resource and another to represent Client (with credentials).

Please advise


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,562 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2023-01-02T18:48:34.563+00:00
    Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

    Hello, for client, middle-tier and downstream Api scenarios, you can user 1 Azure AD app registration for all of them during initial development/test. However, for production 1 Azure AD app registration for each offers the best in terms scalability, maintainability, security and governance. You can restrict different users or principals per each app, apply different Conditional Access policies, token settings, create and expose specific user or app permissions/roles, and more. E.g. You can create:

    1. An app for your client, which only allows users of a specific dynamic group, enable PKCE/SPA (no client credentials required or shared).
    2. An app for your middle tier Api, which exposes a user permission and will trust client app so that consent is not required. Only clients from trusted IPs will connect using password, others will require MFA thanks to CA policies. It can be secured with a client certificate and/or allowing managed identities (like the ones acting on behalf of a deployed SPA in Azure).
    3. An app for your downstream Api which will only allow the middle tier Api to AuthN, nothing/nobody else. Only clients connecting from an Azure IP range (where the middle tier Api will be deployed) will be able to connect thanks to CA policies.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

  2. answered 2023-01-20T17:18:39.1533333+00:00
    Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

    Hello @kumar-0961, is anything else I can help you with?