Skip to main content

Create Entra ID app registrations

This section details the steps required to create the Entra ID App Registration. A registration is required for each instance of Pro-Sapien.

Before you start

Prerequisite stages

Confirm the following stages have been completed.

Parameters

The following values from the parameters workbook are required:

  • {Entra-App-Name}
  • {Web-App-Domain}

Permission required

Use an account with the following permissions:

  • Global Administrator

Entra ID App registration

Create a new Entra ID App Registration in Azure Portal for each Pro-Sapien instance.

Two instances will be deployed, requiring two app registrations:

  • UAT (test)
  • Production (live)

The following link provides steps for creating app registrations in Azure Portal:

New registration

  1. Navigate to Azure Portal -> Microsoft Entra ID -> App Registrations
  2. Click on New Registration

app-reg-01.png

Complete details

  1. Name: populate with {Entra-App-Name}
  2. Supported account types: select Accounts in this organizational directory only (Single tenant)
  3. Redirect URI (optional): select Web and provide following URI: https://{Web-App-Domain}/.auth/login/aad/callback
    • {Web-App-Domain} is the full domain of the Azure Web App
    • If a custom domain is being used, this should be the fully qualified custom domain
    • If not, this should be the *.azurewebsites.net domain
  4. Click on Register

app-reg-02.png

Authentication

  1. Navigate to the Authentication page
  2. Front-channel logout URL: provide following URI: https://{WebAppDomain}/Account/EndSession
    • {Web-App-Domain} is the full domain of the Azure Web App
    • If a custom domain is being used, this should be the fully qualified custom domain
    • If not, this should be the *.azurewebsites.net domain
  3. Implicit grant and hybrid flows: select ID tokens
  4. Click on Save

app-reg-03.png

Authentication (alternative steps)

info

If the Front-channel logout URL section is not available on the authentication page, this indicates a web Redirect URI was not provided in the first step. If this is the case, complete the following alternative steps.

ONLY execute these steps if the Front-channel logout URL section is not available.

  1. Click on Add a platform

app-reg-auth-alt-01.png

  1. Click on Web

app-reg-auth-alt-02.png

  1. Redirect URIs: provide following URI: https://{Web-App-Domain}/.auth/login/aad/callback
    • {Web-App-Domain} is the full domain of the Azure Web App
    • If a custom domain is being used, this should be the fully qualified custom domain
    • If not, this should be the *.azurewebsites.net domain
  2. Front-channel logout URL: provide following URI: https://{WebAppDomain}/Account/EndSession
    • {Web-App-Domain} is the full domain of the Azure Web App
    • If a custom domain is being used, this should be the fully qualified custom domain
    • If not, this should be the *.azurewebsites.net domain
  3. Implicit grant and hybrid flows: select ID tokens
  4. Click on Configure

app-reg-auth-alt-03.png

API permissions

User profiles

  1. Navigate to the API permissions page
  2. Click on Add a permission

app-reg-04.png

  1. Select Microsoft Graph

app-reg-05.png

  1. Select Application permissions

app-reg-06.png

  1. Search for User.Read.All (located under the User section)
  2. Select User.Read.All and click on Add permissions

app-reg-07.png

  1. Navigate to the API permissions page
  2. Click on Add a permission
  3. Select Microsoft Graph
  4. Select Delegate permissions
  5. Search for User.Read (located under User section)
  6. Select User.Read and click on Add permissions

SharePoint

  1. Navigate to the API permissions page
  2. Click on Add a permission
  3. Select SharePoint
  4. Select Application permissions
  5. Select
    • Sites.Selected
    • TermStore.ReadWrite.All
    • User.Read.All
  6. Click on Add permissions

app-reg-08.png

  1. Click on **Grant admin consent for {tenant-name} **

app-reg-09.png

  1. Click on Yes

app-reg-10.png

Final page example:

app-reg-11.png

Scope

  1. Navigate to the Expose an API page
  2. Click on Add next to the Application ID URI

app-reg-12.png

  1. Click on Save

app-reg-13.png

  1. Click on Add a scope

app-reg-14.png

  1. Scope name: populate with "user_impersonation"
  2. Who can consent?: select Admins only
  3. Admin consent display name: populate with "user_impersonation"
  4. Admin consent description: populate with "Allows the app to access web api endpoints on behalf of the signed in user."
  5. State: select Enabled
  6. Click on Add scope

app-reg-15.png

Final page example:

app-reg-16.png

Before you finish

Find Client ID

  1. Navigate to the Overview page
  2. The following details should be captured in the parameters workbook:
    • Application (client) ID {Entra-App-ClientId}

app-reg-23.png

Find Object ID

  1. Navigate to Azure Portal -> Microsoft Entra ID -> Enterprise applications
  2. Search for the {Entra-App-Name}
  3. Click on the azure app

app-reg-24.png

  1. The following details should be captured in the parameters workbook:
    • Object ID {Entra-App-ObjectId}

app-reg-25.png

Next steps

Now complete the following steps: