Registering applications
The Microsoft identity platform app registration portal is the primary entry point for applications that use the platform for authentication and associated needs. As a developer, when registering and configuring your apps, the choices you make drive and affect how well your application satisfies Zero Trust principles. Effective app registration especially considers the principles of use least privileged access and assume breach. This article helps you to learn about the application registration process and its requirements to ensure that your apps follow a Zero Trust approach to security.
Application management in Microsoft Entra ID (Microsoft Entra ID) is the process of securely creating, configuring, managing, and monitoring applications in the cloud. When you register your application in a Microsoft Entra tenant, you configure secure user access.
Microsoft Entra ID represents applications by application objects and service principals. With some exceptions, applications are application objects. Think of a service principal as an instance of an application that references an application object. Multiple service principals across directories can reference a single application object.
You can configure your application to use Microsoft Entra ID through three methods: in Visual Studio, by using the Microsoft Graph API, or by using PowerShell. There are developer experiences in Azure and in API Explorer across developer centers. Reference the required decisions and tasks for the developer and IT Pro roles to build and deploy secure applications in the Microsoft identity platform.
Who can add and register applications
Admins and, if permitted by the tenant, users and developers may create application objects by registering applications in the Azure portal. By default, all users in a directory can register application objects that they develop. Application object developers decide which applications share and give access to organizational data through consent.
When the first user in a directory signs in to an application and grants consent, the system creates a service principal in the tenant that stores all user consent information. Microsoft Entra ID automatically creates a service principal for a newly registered app in the tenant before a user authenticates.
Only Microsoft Entra global administrators can perform specific application tasks (such as adding applications from the app gallery and configuring applications to use application proxy).
Registering application objects
As a developer, you register your apps that use the Microsoft identity platform. Register your apps in the Azure portal or by calling Microsoft Graph application APIs. After you register your app, it communicates with the Microsoft identity platform by sending requests to the endpoint.
You might not have permission to create or modify an application registration. When administrators don't give you permissions to register your applications, ask them how you can convey necessary app registration information to them.
Application registration properties may include the following components.
- Name, logo, and publisher
- Redirect URIs
- Secrets (symmetric and/or asymmetric keys used to authenticate the application)
- API dependencies (OAuth)
- Published APIs/resources/scopes (OAuth)
- App roles for role-based access control
- Metadata and configuration for single sign-on (SSO), user provisioning, and proxy
A required part of app registration is your selection of supported account types to define who can use your app based on the user's account type. Microsoft Entra administrators follow the application model to manage application objects in the Azure portal through the App registrations experience and define application settings that tell the service how to issue tokens to the application.
During registration, you receive the identity of your application: the application (client) ID. Your app uses its client ID every time it performs a transaction through the Microsoft identity platform.
App registration best practices
Follow security best practices for application properties when registering your application in Microsoft Entra ID as a critical part of its business use. Aim to prevent downtime or compromise that may affect the entire organization. The following recommendations help you to develop your secure application around Zero Trust principles.
- Use the Microsoft identity platform integration checklist to ensure high quality and secure integration. Maintain the quality and security of your app.
- Properly define your redirect URLs. Reference the Redirect URI (reply URL) restrictions and limitations to avoid compatibility and security issues.
- Check redirect URIs in your app registration for ownership to avoid domain takeovers. Redirect URLs should be on domains that you know and own. Regularly review and remove unnecessary and unused URIs. Don't use non-https URIs in production apps.
- Always define and maintain app and service principal owners for your registered apps in your tenant. Avoid orphaned apps (apps and service principals that have no assigned owners). Ensure that IT admins can easily and quickly identify app owners during an emergency. Keep the number of app owners small. Make it difficult for a compromised user account to affect multiple applications.
- Avoid using the same app registration for multiple apps. Separating app registrations helps you to enable least privileged access and reduce impact during a breach.
- Use separate app registrations for apps that sign in users and apps that expose data and operations via API (unless tightly coupled). This approach allows permissions for a higher privileged API, such as Microsoft Graph and credentials (like secrets and certificates), at a distance from apps that sign in and interact with users.
- Use separate app registrations for web apps and APIs. This approach helps ensure that, if the web API has a higher set of permissions, then the client app doesn't inherit them.
- Define your application as a multi-tenant app only when necessary. Multi-tenant apps allow for provisioning in tenants other than yours. They require more management overhead to filter unwanted access. Unless you intend to develop your app as a multi-tenant app, start with a SignInAudience value of AzureADMyOrg.
Next steps
- Reference the Microsoft identity platform documentation to learn how to register application types. Example app types include single-page apps (SPA), web apps, web APIs, desktop apps, mobile apps, and background services, daemons, and scripts.
- The New App registrations experience for Azure AD B2C article helps you become familiar the new experience that replaces the legacy experience.
- Integrating applications with Microsoft Entra ID and the Microsoft identity platform helps developers to build and integrate apps that IT pros can secure in the enterprise by securely integrate apps with Microsoft Entra ID and the Microsoft identity platform.
- Acquiring authorization to access resources helps you to understand how to best ensure Zero Trust when acquiring resource access permissions for your application.
- Authorization best practices helps you to implement the best authorization, permission, and consent models for your applications.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for