Quickstart: Register an application in Microsoft Entra ID

In this quickstart, you learn how to register an application in Microsoft Entra ID. This process is essential for establishing a trust relationship between your application and the Microsoft identity platform. By completing this quickstart, you enable identity and access management (IAM) for your app, allowing it to securely interact with Microsoft services and APIs.

Prerequisites

• An Azure account that has an active subscription. Create an account for free.
• The Azure account must be at least a Application Developer.
• A workforce or external tenant. You can use your Default Directory for this quickstart. If you need an external tenant, complete set up an external tenant.

Register an application

Registering your application in Microsoft Entra establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional. Your app trusts the Microsoft identity platform, and not the other way around. Once created, the application object can't be moved between different tenants.

Follow these steps to create the app registration:

1. Sign in to the Microsoft Entra admin center as at least an Application Developer.

2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application.

3. Browse to Identity > Applications > App registrations and select New registration.

4. Enter a meaningful Name for your, for example identity-client-app. App users can see this name, and it can be changed at any time. You can have multiple app registrations with the same name.

5. Under Supported account types, specify who can use the application. We recommend you select Accounts in this organizational directory only for most applications. Refer to the table below for more information on each option.

   Supported account types	Description
   Accounts in this organizational directory only	For single-tenant apps for use only by users (or guests) in your tenant.
   Accounts in any organizational directory	For multitenant apps and you want users in any Microsoft Entra tenant to be able to use your application. Ideal for software-as-a-service (SaaS) applications that you intend to provide to multiple organizations.
   Accounts in any organizational directory and personal Microsoft accounts	For multitenant apps that support both organizational and personal Microsoft accounts (for example, Skype, Xbox, Live, Hotmail).
   Personal Microsoft accounts	For apps used only by personal Microsoft accounts (for example, Skype, Xbox, Live, Hotmail).

6. Select Register to complete the app registration.

   

7. The application's Overview page is displayed. Record the Application (client) ID, which uniquely identifies your application and is used in your application's code as part of validating the security tokens it receives from the Microsoft identity platform.

   

Important

New app registrations are hidden to users by default. When you're ready for users to see the app on their My Apps page you can enable it. To enable the app, in the Microsoft Entra admin center navigate to Identity > Applications > Enterprise applications and select the app. Then on the Properties page, set Visible to users? to Yes.

Grant admin consent (external tenants only)

Once you register your application, it gets assigned the User.Read permission. However, for external tenants, the customer users themselves can't consent to this permission. You as the admin must consent to this permission on behalf of all the users in the tenant:

1. From the Overview page of your app registration, under Manage select API permissions.
2. Select Grant admin consent for < tenant name >, then select Yes.
3. Select Refresh, then verify that Granted for < tenant name > appears under Status for the permission.

Add a redirect URI

A redirect URI is where the Microsoft identity platform sends security tokens after authentication. You can configure redirect URIs in Platform configurations in the Microsoft Entra admin center. For Web and Single-page applications, you need to specify a redirect URI manually. For Mobile and desktop platforms, you select from generated redirect URIs. Follow these steps to configure settings based on your target platform or device:

1. In the Microsoft Entra admin center, in App registrations, select your application.

2. Under Manage, select Authentication.

3. Under Platform configurations, select Add a platform.

4. Under Configure platforms, select the tile for your application type (platform) to configure its settings.

   

   Platform	Configuration settings	Example
   Web	Enter the Redirect URI for a web app that runs on a server. Front channel logout URLs can also be added	Node.js: • http://localhost:3000/auth/redirect ASP.NET Core: • https://localhost:7274/signin-oidc • https://localhost:7274/signout-callback-oidc (Front-channel logout URL) Python: • http://localhost:3000/getAToken
   Single-page application	Enter a Redirect URI for client-side apps using JavaScript, Angular, React.js, or Blazor WebAssembly. Front channel logout URLs can also be added	JavaScript, React: • http://localhost:3000 Angular: • http://localhost:4200/
   iOS / macOS	Enter the app Bundle ID, which generates a redirect URI for you. Find it in Build Settings or in Xcode in Info.plist.	Workforce tenant: • com.<yourname>.identitysample.MSALMacOS External tenant: • com.microsoft.identitysample.ciam.MSALiOS
   Android	Enter the app Package name, which generates a redirect URI for you. Find it in the AndroidManifest.xml file. Also generate and enter the Signature hash.	Kotlin: • com.azuresamples.msaldelegatedandroidkotlinsampleapp .NET MAUI: • msal{CLIENT_ID}://auth Java: • com.azuresamples.msalandroidapp
   Mobile and desktop applications	Select this platform for desktop apps or mobile apps not using MSAL or a broker. Select a suggested Redirect URI, or specify one or more Custom redirect URIs	Embedded browser desktop app: • https://login.microsoftonline.com/common/oauth2/nativeclient System browser desktop app: • http://localhost

5. Select Configure to complete the platform configuration.

Redirect URI restrictions

There are some restrictions on the format of the redirect URIs you add to an app registration. For details about these restrictions, see Redirect URI (reply URL) restrictions and limitations.

Add credentials

After registering an app, you can add certificates, client secrets (a string), or federated identity credentials as credentials to your confidential client app registration. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime, and are used by confidential client applications that access a web API.

Add a certificate

Sometimes called a public key, a certificate is the recommended credential type because they're considered more secure than client secrets.

1. In the Microsoft Entra admin center, in App registrations, select your application.
2. Select Certificates & secrets > Certificates > Upload certificate.
3. Select the file you want to upload. It must be one of the following file types: .cer, .pem, .crt.
4. Select Add.

In production, you should use a certificate signed by a well known certificate authority (CA) such as Azure Key Vault. For more information about using a certificate as an authentication method in your application, see Microsoft identity platform application authentication certificate credentials.

Add a client secret

Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identify itself.

Client secrets are less secure than certificate or federated credentials and therefore should not be used in production environments. While they may be convenient for local app development, it is imperative to use certificate or federated credentials for any applications running in production to ensure higher security.

1. In the Microsoft Entra admin center, in App registrations, select your application.
2. Select Certificates & secrets > Client secrets > New client secret.
3. Add a description for your client secret.
4. Select an expiration for the secret or specify a custom lifetime.
   • Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
   • Microsoft recommends that you set an expiration value of less than 12 months.
5. Select Add.
6. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.

To learn more about client secret vulnerabilities, refer to Migrate applications away from secret-based authentication.

If you're using an Azure DevOps service connection that automatically creates a service principal, you need to update the client secret from the Azure DevOps portal site instead of directly updating the client secret. Refer to this document on how to update the client secret from the Azure DevOps portal site: Troubleshoot Azure Resource Manager service connections.

Add a federated credential

Federated identity credentials are a type of credential that allows workloads, such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure access Microsoft Entra protected resources without needing to manage secrets using workload identity federation.

To add a federated credential, follow these steps:

1. In the Microsoft Entra admin center, in App registrations, select your application.

2. Select Certificates & secrets > Federated credentials > Add credential.

3. In the Federated credential scenario drop-down box, select one of the supported scenarios, and follow the corresponding guidance to complete the configuration.

   • Customer managed keys for encrypt data in your tenant using Azure Key Vault in another tenant.
   • GitHub actions deploying Azure resources to configure a GitHub workflow to get tokens for your application and deploy assets to Azure.
   • Kubernetes accessing Azure resources to configure a Kubernetes service account to get tokens for your application and access Azure resources.
   • Other issuer to configure the application to trust a managed identity or an identity managed by an external OpenID Connect provider to get tokens for your application and access Azure resources.

For more information on how to get an access token with a federated credential, see Microsoft identity platform and the OAuth 2.0 client credentials flow.

Next step

Expose a web API

After registering an app, you can configure it to expose a web API. To learn how, refer to;

Configure an application to expose a web API

Explore sample code

The Microsoft identity platform offers a variety of code samples tailored for different application types and platforms. To explore these samples, refer to;

Microsoft identity platform code samples