Create an app registration to use with Azure Digital Twins

This article describes how to create an Microsoft Entra ID app registration that can access Azure Digital Twins. This article includes steps for the Azure portal and the Azure CLI.

When working with Azure Digital Twins, it's common to interact with your instance through client applications. Those applications need to authenticate with Azure Digital Twins, and some of the authentication mechanisms that apps can use involve an app registration.

The app registration isn't required for all authentication scenarios. However, if you're using an authentication strategy or code sample that does require an app registration, this article shows you how to set one up and grant it permissions to the Azure Digital Twins APIs. It also covers how to collect important values that you'll need to use the app registration when authenticating.

Tip

You may prefer to set up a new app registration every time you need one, or to do this only once, establishing a single app registration that will be shared among all scenarios that require it.

Create the registration

Start by selecting the tab below for your preferred interface.

Navigate to Microsoft Entra ID in the Azure portal (you can use this link or find it with the portal search bar). Select App registrations from the service menu, and then + New registration.

Screenshot of the Microsoft Entra service page in the Azure portal, showing the steps to create a new registration in the 'App registrations' page.

In the Register an application page that follows, fill in the requested values:

  • Name: A Microsoft Entra application display name to associate with the registration.
  • Supported account types: Select Accounts in this organizational directory only (Default Directory only - Single tenant).

When you're finished, select the Register button.

Screenshot of the 'Register an application' page in the Azure portal with the described values filled in.

When the registration is finished setting up, the portal will redirect you to its details page.

Collect important values

Next, collect some important values about the app registration that you'll need to use the app registration to authenticate a client application. These values include:

  • resource name — When working with Azure Digital Twins, the resource name is http://digitaltwins.azure.net.
  • client ID
  • tenant ID
  • client secret

The following sections describe how to find the remaining values.

Collect client ID and tenant ID

To use the app registration for authentication, you may need to provide its Application (client) ID and Directory (tenant) ID. Here, you'll collect these values so you can save them and use them whenever they're needed.

The client ID and tenant ID values can be collected from the app registration's details page in the Azure portal:

Screenshot of the Azure portal showing the important values for the app registration.

Take note of the Application (client) ID and Directory (tenant) ID shown on your page.

Collect client secret

Set up a client secret for your app registration, which other applications can use to authenticate through it.

Start on your app registration page in the Azure portal.

  1. Select Certificates & secrets from the registration's menu, and then select + New client secret.

    Screenshot of the Azure portal showing a Microsoft Entra app registration and a highlight around 'New client secret'.

  2. Enter whatever values you want for Description and Expires, and select Add.

    Screenshot of the Azure portal while adding a client secret.

  3. Verify that the client secret is visible on the Certificates & secrets page with Expires and Value fields.

  4. Take note of its Secret ID and Value to use later (you can also copy them to the clipboard with the Copy icons).

    Screenshot of the Azure portal showing how to copy the client secret value.

Important

Make sure to copy the values now and store them in a safe place, as they can't be retrieved again. If you can't find them later, you'll have to create a new secret.

Provide Azure Digital Twins permissions

Next, configure the app registration you've created with permissions to access Azure Digital Twins. There are two types of permissions that are required:

  • A role assignment for the app registration within the Azure Digital Twins instance
  • API permissions for the app to read and write to the Azure Digital Twins APIs

Create role assignment

In this section, you'll create a role assignment for the app registration on the Azure Digital Twins instance. This role will determine what permissions the app registration holds on the instance, so you should select the role that matches the appropriate level of permission for your situation. One possible role is Azure Digital Twins Data Owner. For a full list of roles and their descriptions, see Azure built-in roles.

Use these steps to create the role assignment for your registration.

  1. Open the page for your Azure Digital Twins instance in the Azure portal.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment to open the Add role assignment page.

  4. Assign the appropriate role. For detailed steps, see Assign Azure roles using the Azure portal.

    Setting Value
    Role Select as appropriate
    Members > Assign access to User, group, or service principal
    Members > Members + Select members, then search for the name of the app registration

    Screenshot of the Roles tab in the Add role assignment page.

    Screenshot of the Members tab in the Add role assignment page.

    Once the role has been selected, Review + assign it.

Verify role assignment

You can view the role assignment you've set up under Access control (IAM) > Role assignments.

Screenshot of the Role Assignments page for an Azure Digital Twins instance in the Azure portal.

The app registration should show up in the list along with the role you assigned to it.

Provide API permissions

In this section, you'll grant your app baseline read/write permissions to the Azure Digital Twins APIs.

If you're using the Azure CLI and set up your app registration earlier with a manifest file, this step is already done. If you're using the Azure portal to create your app registration, continue through the rest of this section to set up API permissions.

From the portal page for your app registration, select API permissions from the menu. On the following permissions page, select the + Add a permission button.

Screenshot of the app registration in the Azure portal, highlighting the 'API permissions' menu option and 'Add a permission' button.

In the Request API permissions page that follows, switch to the APIs my organization uses tab and search for Azure digital twins. Select Azure Digital Twins from the search results to continue with assigning permissions for the Azure Digital Twins APIs.

Screenshot of the 'Request API Permissions' page search result in the Azure portal showing Azure Digital Twins.

Next, you'll select which permissions to grant for these APIs. Expand the Read (1) permission and check the box that says Read.Write to grant this app registration reader and writer permissions.

Screenshot of the 'Request API Permissions' page and selecting 'Read.Write' permissions for the Azure Digital Twins APIs in the Azure portal.

Select Add permissions when finished.

Verify API permissions

On the API permissions page, verify that there's now an entry for Azure Digital Twins reflecting Read.Write permissions:

Screenshot of the API permissions for the Microsoft Entra app registration in the Azure portal, showing 'Read/Write Access' for Azure Digital Twins.

You can also verify the connection to Azure Digital Twins within the app registration's manifest.json, which was automatically updated with the Azure Digital Twins information when you added the API permissions.

To do so, select Manifest from the menu to view the app registration's manifest code. Scroll to the bottom of the code window and look for the following fields and values under requiredResourceAccess:

  • "resourceAppId": "0b07f429-9f4b-4714-9392-cc5e8e80c8b0" (This is the resource ID for the Azure Digital Twins service endpoint.)
  • "resourceAccess" > "id": "4589bd03-58cb-4e6c-b17f-b580e39652f8" (This is the permission ID for the Read.Write delegated permission in Azure Digital Twins.)

These values are shown in the screenshot below:

Screenshot of the manifest for the Microsoft Entra app registration in the Azure portal.

If these values are missing, retry the steps in the section for adding the API permission.

Other possible steps for your organization

It's possible that your organization requires more actions from subscription owners or administrators to finish setting up the app registration. The steps required may vary depending on your organization's specific settings. Choose a tab below to see this information tailored to your preferred interface.

Here are some common potential activities that an owner or administrator on the subscription may need to do. These and other operations can be performed from the Microsoft Entra App registrations page in the Azure portal.

  • Grant admin consent for the app registration. Your organization may have Admin Consent Required globally turned on in Microsoft Entra ID for all app registrations within your subscription. If so, the owner/administrator will need to select this button for your company on the app registration's API permissions page for the app registration to be valid:

    Screenshot of the Azure portal showing the 'Grant admin consent' button under API permissions.

    • If consent was granted successfully, the entry for Azure Digital Twins should then show a Status value of Granted for (your company)

    Screenshot of the Azure portal showing the admin consent granted for the company under API permissions.

  • Activate public client access

  • Set specific reply URLs for web and desktop access

  • Allow for implicit OAuth2 authentication flows

For more information about app registration and its different setup options, see Register an application with the Microsoft identity platform.

Next steps

In this article, you set up a Microsoft Entra app registration that can be used to authenticate client applications with the Azure Digital Twins APIs.

Next, read about authentication mechanisms, including one that uses app registrations and others that don't: