This chapter covers Azure AD App Registrations, a fundamental concept for enabling applications to authenticate and authorize against Microsoft Entra ID. On the SC-900 exam, approximately 10-15% of questions touch on identity concepts including app registrations, service principals, and permissions. Understanding the difference between app registrations and service principals, the OAuth 2.0 flow, and consent permissions is critical for success. By the end of this chapter, you will be able to explain the purpose of app registrations, how they create a service principal, and how permissions and consent work.
Jump to a section
Imagine you want to build a new office in a city. You don't just start building—you first submit a building permit application to the city planning department. This permit includes your company name, the exact location, and the intended use of the building. Once approved, you receive a unique permit number and a set of credentials (e.g., a key to the city's water supply). Similarly, in Azure AD, an app registration is like that permit. You register your application with Azure AD by providing details like the application name, supported account types, and redirect URIs. Azure AD then issues a unique Application (client) ID and, optionally, a client secret or certificate. These credentials allow your app to authenticate and obtain tokens from Azure AD, just as the permit allows you to access city resources. The redirect URI is like the building's address where the city sends permits and notifications. Without a proper registration, your app cannot authenticate against Azure AD, just as a building without a permit cannot legally connect to city utilities. The registration also defines permissions your app needs—like requesting access to the city's water or electricity—which must be granted by an administrator or user. This analogy mirrors how app registrations create an identity for your application in Azure AD, enabling secure authentication and authorization.
What is an App Registration?
An app registration is a representation of your application in Azure AD. It acts as an identity for the application, allowing it to authenticate users and access resources secured by Azure AD. Think of it as a blueprint or template that defines how your application interacts with Azure AD. When you register an app, you provide metadata such as the application name, redirect URIs, supported account types, and permissions it requires. Azure AD then assigns a unique Application (client) ID and, optionally, generates a client secret or certificate for authentication.
Why App Registrations Exist
Without app registrations, applications would have no way to prove their identity to Azure AD. They enable the OAuth 2.0 and OpenID Connect protocols, which are the foundation for modern authentication. App registrations allow you to:
Define who can use the app (single tenant, multi-tenant, or personal accounts).
Specify where Azure AD should redirect users after authentication (redirect URIs).
Declare permissions the app needs (Microsoft Graph, other APIs).
Create credentials (secrets or certificates) for the app to authenticate itself.
How App Registration Works Internally
When you register an app, Azure AD creates two objects: the application object and the service principal object. The application object is the global representation of the app, stored in the tenant where the app is registered. The service principal is the local representation in each tenant where the app is used. For a single-tenant app, there is one service principal in the same tenant. For a multi-tenant app, a service principal is created in each tenant where consent is granted.
The registration process involves: 1. Creating the Application Object: You provide app name, supported account types, redirect URIs, and permissions. Azure AD generates a globally unique Application ID (client_id). 2. Generating Credentials: You can create a client secret (a string) or upload a certificate. Secrets have an expiration date (default 1 year, max 2 years). Certificates provide higher security and can have longer validity. 3. Defining Redirect URIs: These are URLs where Azure AD sends authentication responses. They must be HTTPS (except for localhost in development). For native apps, you can use custom URI schemes. 4. Exposing APIs (optional): If your app provides its own API, you can define scopes and app roles that other applications can request. 5. Setting Permissions: You declare which Microsoft Graph or other API permissions your app needs. These can be delegated (user context) or application-level (app-only).
Key Components, Values, and Defaults
- Application (client) ID: A GUID that uniquely identifies your app in Azure AD. It is used as the 'client_id' in OAuth 2.0 requests. Example: 12345678-1234-1234-1234-123456789abc.
- Directory (tenant) ID: The GUID of the tenant where the app is registered. Used to construct the authority URL: https://login.microsoftonline.com/{tenant-id}.
- Client Secret: A string value used by confidential clients to authenticate. Default expiration is 1 year. Can be set to 6 months, 1 year, or 2 years. Secrets are hashed and stored; you cannot retrieve the plaintext after creation.
- Certificate: A public/private key pair. The public key is uploaded; the private key is kept by the app. More secure than secrets. Supports SHA256 and SHA384.
- Redirect URIs: Up to 256 URIs per app. Must be HTTPS except for http://localhost. For single-page apps, use the auth code flow with PKCE.
- Supported Account Types:
- Accounts in this organizational directory only (Single tenant): Only users in your tenant can sign in.
- Accounts in any organizational directory (Any Azure AD directory - Multitenant): Users from any Azure AD tenant can sign in.
- Accounts in any organizational directory and personal Microsoft accounts (e.g., Skype, Xbox): Users with Microsoft personal accounts can also sign in.
- Personal Microsoft accounts only: Only for Microsoft accounts, not for work/school.
- Permissions: Two types:
- Delegated permissions: App acts on behalf of a signed-in user. Requires user consent or admin consent.
- Application permissions: App acts as itself (no user context). Requires admin consent.
- Pre-authorized applications: You can pre-authorize other apps to access your API without requiring user consent.
Configuration and Verification Commands
Using Azure CLI, you can create and manage app registrations:
# Register an app
az ad app create --display-name "MyApp" --sign-in-audience AzureADMyOrg --identifier-uris "api://myapp"
# Add a redirect URI
az ad app update --id <app-id> --web-redirect-uris "https://myapp.com/callback"
# Create a client secret
az ad app credential reset --id <app-id> --append --display-name "MySecret" --years 1
# List app registrations
az ad app list --query "[].{Name:displayName, AppId:appId}"Using Microsoft Graph PowerShell:
# Register an app
New-MgApplication -DisplayName "MyApp" -SignInAudience "AzureADMyOrg"
# Add a redirect URI
Update-MgApplication -ApplicationId <app-id> -Web @{RedirectUris = @("https://myapp.com/callback")}
# Create a client secret
Add-MgApplicationPassword -ApplicationId <app-id> -DisplayName "MySecret"Interaction with Related Technologies
App registrations are the foundation for: - OAuth 2.0 Authorization Code Flow: The app uses its client ID and secret to exchange an authorization code for an access token. - OpenID Connect: Adds an ID token for user authentication. - Microsoft Graph: Apps request delegated or application permissions to call Microsoft Graph APIs (e.g., User.Read, Mail.Send). - Conditional Access: Policies can target applications by their app ID, requiring MFA or location-based access. - Managed Identities: Azure resources (VMs, App Services) can use managed identities instead of app registrations; internally, a service principal is created automatically.
Step-by-Step Flow of an App Registration
Developer creates app registration in Azure portal or via CLI.
Azure AD generates Application ID and optionally a secret/certificate.
Developer configures permissions (e.g., User.Read) and saves.
Developer adds redirect URIs where tokens will be sent.
App requests authorization from Azure AD endpoint with client ID, redirect URI, and scope.
User signs in and consents (if required). Azure AD redirects back with an authorization code.
App exchanges code for tokens using client secret/certificate.
App uses access token to call Microsoft Graph or other APIs.
Create App Registration
Navigate to Azure AD > App registrations > New registration. Provide a display name (e.g., 'MyWebApp'). Choose supported account types: 'Accounts in this organizational directory only' for single-tenant apps. For multi-tenant, select 'Accounts in any organizational directory'. Optionally, set a redirect URI (e.g., https://myapp.com/callback). Click Register. Azure AD creates the application object and assigns a unique Application (client) ID and Directory (tenant) ID. The app appears in the list of app registrations.
Configure Authentication
In the app registration's 'Authentication' blade, add redirect URIs for web, SPA, or native platforms. For web apps, use HTTPS. For native apps, use custom URI schemes like myapp://auth. You can also set front-channel logout URL. Enable implicit grant flow only if needed (not recommended; use auth code flow with PKCE). Configure supported account types if needed. Save changes. This step ensures Azure AD knows where to send authentication responses.
Add Credentials
In 'Certificates & secrets', create a client secret or upload a certificate. For secrets, provide a description and choose expiration (6 months, 1 year, or 2 years). Copy the secret value immediately; it cannot be retrieved later. For certificates, upload the public key (.cer, .pem). Certificates are more secure and can have longer validity. Store secrets securely in Azure Key Vault or environment variables. Never hardcode secrets in code.
Configure API Permissions
In 'API permissions', click 'Add a permission'. Choose Microsoft Graph or other APIs. Select delegated or application permissions. For example, 'User.Read' (delegated) allows reading the signed-in user's profile. 'Mail.Send' (application) allows sending mail as any user (requires admin consent). After adding, click 'Grant admin consent' if required. Permissions are used to request scopes in OAuth 2.0 tokens. Without proper permissions, the API will reject requests.
Expose an API (Optional)
If your app provides its own API, go to 'Expose an API' to define scopes. Set an Application ID URI (e.g., api://myapp). Add scopes like 'access_as_user' with descriptions. Define who can consent (admins and users). Optionally, add authorized client applications that can call your API without user consent. This step is necessary for service-to-service authentication where your app's API is protected by Azure AD.
Scenario 1: Enterprise Web Application
A large enterprise develops an internal HR web app that needs to read employee profiles from Microsoft Graph. The developer registers the app as single-tenant, adds redirect URI https://hrportal.contoso.com/signin-oidc, and configures delegated permissions User.Read.All and Group.Read.All. The admin grants tenant-wide consent so users don't see consent prompts. The app uses the OAuth 2.0 authorization code flow with PKCE. The client secret is stored in Azure Key Vault and rotated every 6 months. Performance is not an issue as the app handles thousands of users. Misconfiguration: If the redirect URI is not HTTPS, Azure AD rejects the authentication request. If permissions are not granted, the app receives HTTP 403 Forbidden when calling Graph.
Scenario 2: Multi-Tenant SaaS Application
A SaaS vendor builds a project management tool that customers can sign up for. The app is registered as multi-tenant with supported account types 'Accounts in any organizational directory'. The redirect URI is https://app.projectmanager.com/auth/callback. The app requests delegated permissions User.Read and Tasks.ReadWrite. When a new customer signs in, they are prompted to consent to these permissions. The vendor uses certificates instead of secrets for higher security, rotating certificates annually. The app uses the authorization code flow. Common issue: If the app does not handle incremental consent correctly, users may see unexpected prompts. Also, if the app requests application permissions (which require admin consent), regular users cannot consent and the flow fails.
Scenario 3: Daemon Service (Service-to-Service)
A background service needs to read all calendar events across the tenant for reporting. The developer registers an app and configures application permissions Calendars.Read. Since application permissions require admin consent, the admin grants consent at the tenant level. The app authenticates using client credentials flow (client ID + certificate). The service principal is created in the tenant. The app runs on an Azure VM with a managed identity, but for external services, a traditional app registration is used. Misconfiguration: If the developer mistakenly uses delegated permissions, the daemon cannot authenticate because there is no user context. Also, if the certificate expires, the service stops working until the certificate is renewed.
What SC-900 Tests
Objective 2.1: Describe the authentication capabilities of Azure AD. This includes app registrations, service principals, and permissions.
Objective 2.2: Describe the identity protection and governance capabilities of Azure AD. This includes consent and permissions.
Objective 2.3: Describe the capabilities of Azure AD Conditional Access. This includes targeting applications.
Common Wrong Answers
'App registration is the same as a service principal.' This is false. An app registration is the application object; a service principal is the local instance in a tenant. The exam may ask: 'What is created when you register an app?' The correct answer is 'An application object' or 'An app registration and a service principal in the home tenant.'
'Client secrets are the most secure credential type.' Wrong. Certificates are more secure because they use asymmetric encryption and can have longer validity. Secrets are strings that can be leaked.
'Application permissions require user consent.' False. Application permissions always require admin consent because they allow the app to act without a user. Delegated permissions may require user consent or admin consent depending on the scope.
'Redirect URIs can be HTTP for production apps.' Wrong. Redirect URIs must be HTTPS except for localhost during development. The exam may test that the only exception is http://localhost.
Specific Numbers and Values
Application ID: GUID format.
Client secret max expiration: 2 years.
Redirect URIs per app: up to 256.
Supported account types: Single tenant, multi-tenant, personal Microsoft accounts.
Permission types: Delegated (user context) and Application (app-only).
Admin consent: Required for application permissions and high-privilege delegated permissions.
Edge Cases
Incremental consent: Apps can request additional permissions at runtime. The exam may ask about dynamic consent.
Pre-authorized applications: Allow apps to call your API without user consent. This is set in 'Expose an API'.
Managed identities: Are not app registrations; they are a feature for Azure resources. A service principal is created automatically.
How to Eliminate Wrong Answers
If the question mentions 'user context', the answer involves delegated permissions.
If the question mentions 'background service' or 'daemon', the answer involves application permissions and client credentials flow.
If the question asks about 'identity for the app', the answer is 'service principal' not 'app registration' (though app registration is the blueprint).
If the question mentions 'certificate vs secret', certificate is more secure.
An app registration creates an application object and a service principal in the home tenant.
Client secrets expire; certificates are more secure and can have longer validity.
Delegated permissions require a signed-in user; application permissions do not.
Application permissions always require admin consent.
Redirect URIs must be HTTPS except for http://localhost.
Managed identities are not app registrations; they create service principals automatically.
The OAuth 2.0 authorization code flow with PKCE is the recommended authentication flow for web apps.
These come up on the exam all the time. Here's how to tell them apart.
App Registration
Blueprint of the application
Created once per application in the home tenant
Contains metadata like redirect URIs, permissions
Has a unique Application (client) ID
Can be exported and reused across tenants
Service Principal
Instance of the application in a tenant
Created automatically in each tenant where the app is used
Contains tenant-specific settings like consent grants
Has a unique Object ID but same client ID
Cannot be exported; it is tied to the tenant
Mistake
An app registration and a service principal are the same thing.
Correct
An app registration is the application object (the blueprint), while a service principal is the local representation (the instance) in a specific tenant. For a single-tenant app, one service principal is created in the same tenant. For multi-tenant, a service principal is created in each tenant where consent is granted.
Mistake
Client secrets are more secure than certificates.
Correct
Certificates are more secure because they use asymmetric encryption and can be rotated without downtime. Client secrets are symmetric strings that can be leaked if stored insecurely. Microsoft recommends using certificates for production applications.
Mistake
Application permissions can be consented by users.
Correct
Application permissions (app-only) always require admin consent. They allow the app to access data without a signed-in user, so only an administrator can grant them. Delegated permissions can be consented by users unless they require admin consent (e.g., high-privilege scopes).
Mistake
Redirect URIs can be any HTTP URL.
Correct
Redirect URIs must use HTTPS, except for `http://localhost` which is allowed for development. Production apps must use HTTPS to prevent token interception. Azure AD rejects non-HTTPS URIs for security.
Mistake
App registrations can only be created in the Azure portal.
Correct
App registrations can be created via Azure portal, Azure CLI, PowerShell, or Microsoft Graph API. The portal is the most common, but automation is often used for CI/CD pipelines.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An app registration is the global application object that defines how your app interacts with Azure AD. It contains the app ID, redirect URIs, and permissions. A service principal is the local representation of that app in a specific tenant. When you register an app, a service principal is created in the home tenant. For multi-tenant apps, a service principal is created in each tenant where consent is granted. The service principal holds tenant-specific settings like consent grants and conditional access policies.
Use a certificate for production applications because certificates are more secure (asymmetric encryption) and can be rotated without downtime. Client secrets are simpler but less secure; they are acceptable for development or low-risk scenarios. Microsoft recommends using certificates for any app that handles sensitive data. Secrets should be stored securely (e.g., Azure Key Vault) and rotated regularly.
Delegated permissions allow the app to act on behalf of a signed-in user. The app can only access what the user has permission to. Application permissions allow the app to act as itself without a user context, accessing any data the app is granted. Application permissions always require admin consent. For example, 'User.Read' (delegated) reads the signed-in user's profile; 'User.Read.All' (application) reads all users' profiles in the tenant.
Yes, you can change the supported account types in the 'Authentication' blade of the app registration. However, changing from single-tenant to multi-tenant may require updating your code to handle multiple tenants. Also, if you change to personal Microsoft accounts, you must ensure your app supports the Microsoft account identity provider. Note that changing to a less restrictive type may expose your app to a wider audience.
A redirect URI is the endpoint where Azure AD sends authentication responses (authorization codes, tokens) after user authentication. It must match exactly the URI registered in the app. For web apps, it is typically an HTTPS URL like 'https://myapp.com/callback'. For native apps, it can be a custom scheme like 'myapp://auth'. Azure AD validates the redirect URI to prevent token interception attacks.
Deleting an app registration removes the application object and the corresponding service principal in the home tenant. Any existing tokens will become invalid. The app will no longer be able to authenticate. If the app is multi-tenant, service principals in other tenants are not automatically deleted; they become orphaned. You can delete them manually. Deleting an app registration is irreversible, so ensure you have backups or can recreate it.
In the Azure portal, go to your app registration > 'API permissions' > 'Grant admin consent'. You must be a Global Administrator, Application Administrator, or a custom role with permissions to grant consent. You can also use the admin consent endpoint: 'https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}'. Admin consent is required for application permissions and high-privilege delegated permissions.
You've just covered Entra ID App Registrations — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?