Create an app registration to use with Azure Digital Twins
This article describes how to create an Microsoft Entra ID app registration that can access Azure Digital Twins. This article includes steps for the Azure portal and the Azure CLI.
When working with Azure Digital Twins, it's common to interact with your instance through client applications. Those applications need to authenticate with Azure Digital Twins, and some of the authentication mechanisms that apps can use involve an app registration.
The app registration isn't required for all authentication scenarios. However, if you're using an authentication strategy or code sample that does require an app registration, this article shows you how to set one up and grant it permissions to the Azure Digital Twins APIs. It also covers how to collect important values that you'll need to use the app registration when authenticating.
Tip
You may prefer to set up a new app registration every time you need one, or to do this only once, establishing a single app registration that will be shared among all scenarios that require it.
Create the registration
Start by selecting the tab below for your preferred interface.
Navigate to Microsoft Entra ID in the Azure portal (you can use this link or find it with the portal search bar). Select App registrations from the service menu, and then + New registration.
In the Register an application page that follows, fill in the requested values:
- Name: A Microsoft Entra application display name to associate with the registration.
- Supported account types: Select Accounts in this organizational directory only (Default Directory only - Single tenant).
When you're finished, select the Register button.
When the registration is finished setting up, the portal will redirect you to its details page.
Collect important values
Next, collect some important values about the app registration that you'll need to use the app registration to authenticate a client application. These values include:
- resource name — When working with Azure Digital Twins, the resource name is
http://digitaltwins.azure.net
. - client ID
- tenant ID
- client secret
The following sections describe how to find the remaining values.
Collect client ID and tenant ID
To use the app registration for authentication, you may need to provide its Application (client) ID and Directory (tenant) ID. Here, you'll collect these values so you can save them and use them whenever they're needed.
The client ID and tenant ID values can be collected from the app registration's details page in the Azure portal:
Take note of the Application (client) ID and Directory (tenant) ID shown on your page.
Collect client secret
Set up a client secret for your app registration, which other applications can use to authenticate through it.
Start on your app registration page in the Azure portal.
Select Certificates & secrets from the registration's menu, and then select + New client secret.
Enter whatever values you want for Description and Expires, and select Add.
Verify that the client secret is visible on the Certificates & secrets page with Expires and Value fields.
Take note of its Secret ID and Value to use later (you can also copy them to the clipboard with the Copy icons).
Important
Make sure to copy the values now and store them in a safe place, as they can't be retrieved again. If you can't find them later, you'll have to create a new secret.
Provide Azure Digital Twins permissions
Next, configure the app registration you've created with permissions to access Azure Digital Twins. There are two types of permissions that are required:
- A role assignment for the app registration within the Azure Digital Twins instance
- API permissions for the app to read and write to the Azure Digital Twins APIs
Create role assignment
In this section, you'll create a role assignment for the app registration on the Azure Digital Twins instance. This role will determine what permissions the app registration holds on the instance, so you should select the role that matches the appropriate level of permission for your situation. One possible role is Azure Digital Twins Data Owner. For a full list of roles and their descriptions, see Azure built-in roles.
Use these steps to create the role assignment for your registration.
Open the page for your Azure Digital Twins instance in the Azure portal.
Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
Assign the appropriate role. For detailed steps, see Assign Azure roles using the Azure portal.
Setting Value Role Select as appropriate Members > Assign access to User, group, or service principal Members > Members + Select members, then search for the name of the app registration Once the role has been selected, Review + assign it.
Verify role assignment
You can view the role assignment you've set up under Access control (IAM) > Role assignments.
The app registration should show up in the list along with the role you assigned to it.
Provide API permissions
In this section, you'll grant your app baseline read/write permissions to the Azure Digital Twins APIs.
If you're using the Azure CLI and set up your app registration earlier with a manifest file, this step is already done. If you're using the Azure portal to create your app registration, continue through the rest of this section to set up API permissions.
From the portal page for your app registration, select API permissions from the menu. On the following permissions page, select the + Add a permission button.
In the Request API permissions page that follows, switch to the APIs my organization uses tab and search for Azure digital twins. Select Azure Digital Twins from the search results to continue with assigning permissions for the Azure Digital Twins APIs.
Note
If your subscription still has an existing Azure Digital Twins instance from the previous public preview of the service (before July 2020), you'll need to search for and select Azure Smart Spaces Service instead. This is an older name for the same set of APIs (notice that the Application (client) ID is the same as in the screenshot above), and your experience won't be changed beyond this step.
Next, you'll select which permissions to grant for these APIs. Expand the Read (1) permission and check the box that says Read.Write to grant this app registration reader and writer permissions.
Select Add permissions when finished.
Verify API permissions
On the API permissions page, verify that there's now an entry for Azure Digital Twins reflecting Read.Write permissions:
You can also verify the connection to Azure Digital Twins within the app registration's manifest.json, which was automatically updated with the Azure Digital Twins information when you added the API permissions.
To do so, select Manifest from the menu to view the app registration's manifest code. Scroll to the bottom of the code window and look for the following fields and values under requiredResourceAccess
:
"resourceAppId": "0b07f429-9f4b-4714-9392-cc5e8e80c8b0"
"resourceAccess"
>"id": "4589bd03-58cb-4e6c-b17f-b580e39652f8"
These values are shown in the screenshot below:
If these values are missing, retry the steps in the section for adding the API permission.
Other possible steps for your organization
It's possible that your organization requires more actions from subscription owners or administrators to finish setting up the app registration. The steps required may vary depending on your organization's specific settings. Choose a tab below to see this information tailored to your preferred interface.
Here are some common potential activities that an owner or administrator on the subscription may need to do. These and other operations can be performed from the Microsoft Entra App registrations page in the Azure portal.
Grant admin consent for the app registration. Your organization may have Admin Consent Required globally turned on in Microsoft Entra ID for all app registrations within your subscription. If so, the owner/administrator will need to select this button for your company on the app registration's API permissions page for the app registration to be valid:
- If consent was granted successfully, the entry for Azure Digital Twins should then show a Status value of Granted for (your company)
Activate public client access
Set specific reply URLs for web and desktop access
Allow for implicit OAuth2 authentication flows
For more information about app registration and its different setup options, see Register an application with the Microsoft identity platform.
Next steps
In this article, you set up a Microsoft Entra app registration that can be used to authenticate client applications with the Azure Digital Twins APIs.
Next, read about authentication mechanisms, including one that uses app registrations and others that don't: