Tutorial / Cram Notes
Types of Applications in Azure Active Directory
Azure AD supports the registration of different types of applications:
- Web applications/APIs: These are applications that have a web-based front end or web API. They may need to authenticate users or other applications/services.
- Single-page applications (SPA): JavaScript or TypeScript applications running in a web browser that call web APIs, often using OAuth2 authorization code flow with PKCE.
- Mobile and desktop applications: These applications run on a device and may interact with a web API or the Microsoft Graph API.
- Daemon or server-side applications: Applications that run as a background service without a signed-in user, often using client credentials flow.
When registering these applications in Azure AD, they are generally categorized into two major types:
- Owned applications: Applications developed by your own organization and are registered in your Azure AD tenant.
- External applications: Third-party applications which your organization uses and are registered in another Azure AD tenant.
Application Registration Process
The following outlines the general steps required to register an application in Azure AD:
- Log into the Azure portal: Start by signing in with an account that has the appropriate permissions to register an application.
- Navigate to App registrations: Find the “App registrations” service within the Azure AD section of the portal.
- Register a new application: Provide the basic details such as the name of the application, supported account types (single tenant, multi-tenant, or any Microsoft account), and the redirect URI if applicable.
- Configure permissions: Decide on the API permissions your application will require. These could be Microsoft Graph permissions or custom API permissions.
- Assign credentials: Depending on the application type, you may need to create a client secret or upload a certificate which the application will use to authenticate with Azure AD.
- Assign roles: Assign any necessary roles to the application, particularly if the application will be performing actions that require certain administrative privileges within Azure AD.
- Configure additional settings as necessary: These can include token configuration, branding, consent settings, and more.
Permission and Consent Framework
Azure AD uses a permissions and consent framework that enables applications to request access to data in a way that the user or admin can control. There are two types of permissions:
- Delegated permissions: Permissions requested by applications when there’s a signed-in user, which allow the app to act as the signed-in user.
- Application permissions: Permissions requested by applications that run without a signed-in user, which allow the app to act on its own behalf.
The following table compares the two types of permissions:
| Feature | Delegated Permissions | Application Permissions |
|---|---|---|
| Running Context | On behalf of a signed-in user | Without a signed-in user |
| Typical Application Scenarios | SPA, Mobile, Web Applications | Daemon services, Background Jobs |
| Consent Grant | User or admin (based on scope) | Admin only (due to high level of access) |
Managing Application Registrations
It is important to manage application registrations effectively to maintain security and compliance within an organization:
- Audit and review: Regularly audit the applications in your tenant, review the permissions they have been granted and whether these permissions are still necessary.
- Monitor activity: Use the monitoring capabilities within Azure AD to track sign-ins and audit logs which can indicate how applications are being used.
- Apply conditional access policies: Establish policies to control how and when applications can access Azure AD resources. This includes setting conditions based on user, location, device state, and sign-in risk.
- Lifecycle management: Ensure that you manage the lifecycle of your applications by removing or updating registrations for applications that are no longer in use or when updating functionalities necessitate permission changes.
Application registrations are a foundational component of identity and access management in Azure AD. A thorough understanding of how to register, configure, and manage applications ensures that Azure resources are protected and that your organization can efficiently and securely operate in the cloud.
Practice Test with Explanation
True or False: When registering an application in Azure Active Directory, you need to specify who can use this application by configuring the “Who can use this application or access this API?” setting.
- True
Correct Answer: True
Explanation: When registering an application in Azure AD, you must configure who can use the application by defining the “Who can use this application or access this API?” setting.
Single select: In the context of application registrations in Azure AD, what does the term “redirect URI” refer to?
- a) The URI to which Azure AD redirects User Agents in OAuth 0 flows
- b) The primary URI of the application server
- c) The URL where the application is hosted
- d) The URI used for Azure AD B2C custom policies
Correct Answer: a) The URI to which Azure AD redirects User Agents in OAuth 0 flows
Explanation: The redirect URI is the endpoint to which Azure AD will send the authentication response (token or code) in OAuth 0 flows.
Multiple select: Which of the following are components of application registrations that need to be considered in Azure AD? (Choose all that apply.)
- a) Redirect URIs
- b) API permissions
- c) Single sign-on (SSO) method
- d) Conditional Access policies
Correct Answer: a) Redirect URIs, b) API permissions
Explanation: When registering an application in Azure AD, the Redirect URIs and the API permissions are essential components; the SSO method and Conditional Access policies are related to subsequent configuration steps, not directly to the initial registration.
True or False: Managed identities for Azure resources do not require application registration in Azure AD.
- True
Correct Answer: True
Explanation: Managed identities for Azure resources are automatically managed by Azure and do not require a manual application registration process in Azure AD.
Single select: Which Azure AD feature allows you to delegate application management to end-users without granting them global administrative privileges?
- a) Application proxy
- b) Enterprise applications
- c) App registrations
- d) Self-service application management
Correct Answer: d) Self-service application management
Explanation: Self-service application management allows end-users to manage applications without needing to be global administrators.
True or False: An application manifest in Azure AD can be modified to set groupMembershipClaims to SecurityGroup or ApplicationGroup to instruct Azure AD to emit group claims in tokens.
- True
Correct Answer: True
Explanation: In the application manifest, you can modify the groupMembershipClaims setting to include group claims in tokens issued by Azure AD.
Multiple select: Which of the following Grant Types are commonly used with Azure AD App Registrations? (Choose all that apply.)
- a) Authorization Code
- b) Client Credentials
- c) SAML
- d) Implicit Flow
Correct Answer: a) Authorization Code, b) Client Credentials, d) Implicit Flow
Explanation: Authorization Code, Client Credentials, and Implicit Flow are common OAuth 0 grant types used with app registrations in Azure AD.
Single select: What is the purpose of a client secret in an Azure AD application registration?
- a) To redirect users after they sign in
- b) To encrypt the application’s data at rest
- c) To authenticate the application to Azure AD
- d) To define the set of permissions the app requires
Correct Answer: c) To authenticate the application to Azure AD
Explanation: A client secret is used to authenticate the application to Azure AD when performing operations that require it to identify itself.
True or False: Multi-tenant applications in Azure AD allow users from any Azure AD tenant to sign in and use the application.
- True
Correct Answer: True
Explanation: Multi-tenant applications are configured to allow users from other Azure AD tenants to access the application.
Single select: Which type of application should you choose in Azure AD if you are developing a background service that runs without the presence of a user?
- a) Public client (mobile & desktop)
- b) Web
- c) Daemon
- d) Single-page application (SPA)
Correct Answer: c) Daemon
Explanation: Daemon or background service applications typically run without a user’s direct interaction and require the application permissions flow.
True or False: Application owners must manually renew client secrets before they expire to prevent service interruptions.
- True
Correct Answer: True
Explanation: Application owners should plan to renew client secrets proactively before they expire to avoid potential service disruptions.
Single select: How can an application in Azure AD obtain tokens to call an API on behalf of a user?
- a) Using managed identities
- b) Negotiating a Kerberos ticket
- c) Using the OAuth 0 authorization code flow
- d) By configuring direct API access with no authentication
Correct Answer: c) Using the OAuth 0 authorization code flow
Explanation: The OAuth 0 authorization code flow is used to obtain tokens so the application can call an API on behalf of a user.
Interview Questions
What is an Azure AD application registration?
An Azure AD application registration is a record of an application that has been registered with Azure AD, which can be used to integrate with Azure AD for authentication and authorization.
What are the prerequisites to register an application with Azure AD?
To register an application with Azure AD, you need an Azure AD tenant, and you must be signed in with a user account that has administrator privileges in the Azure AD tenant.
What is the difference between a single-tenant and a multi-tenant application registration?
A single-tenant application registration is associated with a single Azure AD tenant, while a multi-tenant application registration can be associated with multiple Azure AD tenants.
What is the application ID URI, and why is it important?
The application ID URI is a unique identifier for an application that is registered with Azure AD, and it is important because it is used to identify the application to Azure AD and to other applications that use it for authentication.
What are the two types of application authentication supported by Azure AD?
Azure AD supports two types of application authentication client credentials and delegated permissions.
What is the difference between client credentials and delegated permissions?
Client credentials authentication involves the application authenticating itself to Azure AD using a client ID and client secret, while delegated permissions authentication involves a user granting the application permission to act on their behalf.
What is a service principal, and how is it related to an Azure AD application registration?
A service principal is an object in Azure AD that represents an application’s identity, and it is created automatically when an application is registered with Azure AD.
How can you manage the lifecycle of an Azure AD application registration?
You can manage the lifecycle of an Azure AD application registration by using the Azure portal, Azure PowerShell, or the Azure CLI.
How can you update the configuration of an existing Azure AD application registration?
You can update the configuration of an existing Azure AD application registration by editing the application’s registration in the Azure portal, or by using Azure PowerShell or the Azure CLI.
How can you delete an Azure AD application registration?
You can delete an Azure AD application registration by selecting the application in the Azure portal and clicking “Delete”, or by using Azure PowerShell or the Azure CLI.
Great post on planning for application registrations! Really informative.
I agree with @User1. This post clarified a lot of concepts for me!
Can someone explain the difference between single-tenant and multi-tenant registrations in more detail?
What’s the best way to ensure app security during the registration process?
Thanks, this is exactly what I needed!
To what extent should we utilize OAuth2.0 in application registrations for SC-300?
The blog didn’t cover much on hybrid identity scenarios. Why is that?
Anyone has experience with configuring app roles? I find it quite confusing.