Domain 3 of 4 · Chapter 3 of 4

App Registrations

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.

Included in this chapter:

  • The application object and its service principals
  • Plan and create a registration: audience, redirect URIs
  • Configure app authentication: credentials
  • Configure API permissions and create app roles

Delegated vs application permissions on an app registration

AspectDelegated permissionsApplication permissions
Access contextOn behalf of a signed-in userAs the app itself, no user
Also calledScopes, OAuth2 permission scopesApp roles, app-only permissions
Typical appsWeb, mobile, single-page appDaemon, background service
Effective accessCapped at what the user can doEverything the permission covers, tenant-wide
Who can consentUser for own data, or admin for allAdmin only
Consent methodsStatic list or dynamic at sign-inStatic list only
Graph result of consentoAuth2PermissionGrantappRoleAssignment

Decision tree

User signed in whenthe app calls the API?Yes, on user's behalfNo, app as itselfDelegated permissionsscopes; user or admin consentApplication permissionsapp roles; admin consent onlyHow is the appcredentialed?External workloadStored credentialLocal dev onlyFederated credentialno secret to rotateCertificaterecommended; via Key VaultClient secret24-month cap; not productionWho must sign into the app?Other orgs tooOwn org onlyMultitenant (AzureADMultipleOrgs)Single tenant (AzureADMyOrg)

Cheat sheet

  • An app registration creates one application object in its home tenant
  • The application object is the template; the service principal is the per-tenant instance
  • A single-tenant app has one service principal; a multitenant app gains one per consenting tenant
  • Deleting an app registration deletes its home-tenant service principal, and restore does not bring it back
  • Registering through the portal auto-creates the service principal; Microsoft Graph does not
  • signInAudience sets who can sign in, from single tenant to personal accounts
  • A redirect URI is a reply location, not the Application ID URI
  • Application (client) ID is shared; object ID is per object
  • Delegated permissions act on behalf of a user and never exceed the user's own access
  • Application permissions act as the app with no user and grant tenant-wide access
  • Application permissions require admin consent; users can consent only to their own delegated data
  • Delegated permissions can be static or dynamic; application permissions are static only
  • Federated credentials remove stored secrets by trusting an external OIDC token
  • Certificates are preferred over client secrets; secrets are test-only
  • A client secret is capped at 24 months and its value shows only once
  • Use a managed identity, not an app-registration secret, when the app runs on Azure
  • App roles you define are emitted in the token's roles claim
  • allowedMemberTypes decides whether an app role goes to users, applications, or both
  • Define app roles in App registrations, assign them in Enterprise applications
  • Assigning an app role via a group does not emit the roles claim for a service principal
  • App roles travel with the app and beat groups for multitenant authorization
  • scp carries delegated permissions; roles carries application permissions
  • Pre-authorize a client under Expose an API to suppress the consent prompt
  • The Application ID URI defaults to api://{clientId} and prefixes every scope
  • Disable an app role (isEnabled=false) before you can delete it

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals
  2. https://entra.microsoft.com
  3. https://learn.microsoft.com/en-us/entra/identity-platform/single-and-multi-tenant-apps
  4. https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
  5. https://learn.microsoft.com/en-us/graph/api/resources/application
  6. https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
  7. https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials
  8. https://learn.microsoft.com/en-us/azure/key-vault/general/overview
  9. https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview
  10. https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps