--- id: sm-entra-app-registration name: "entra-app-registration" url: https://skills.yangsir.net/skill/sm-entra-app-registration author: microsoft domain: cloud-infra tags: ["azure-ad-(entra-id)", "application-registration", "oauth-2.0", "identity-management", "single-sign-on"] install_count: 134700 rating: 4.80 (2000 reviews) github: https://github.com/microsoft/github-copilot-for-azure --- # entra-app-registration > 协助用户在Microsoft Entra ID(原Azure AD)中注册应用程序,配置身份验证和授权,确保应用安全地访问Azure资源。 **Stats**: 134,700 installs · 4.8/5 (2000 reviews) ## Before / After 对比 ### Entra应用注册简化流程 ## Readme # entra-app-registration ## Overview Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. App registrations allow applications to authenticate users and access Azure resources securely. ### Key Concepts Concept Description **App Registration** Configuration that allows an app to use Microsoft identity platform **Application (Client) ID** Unique identifier for your application **Tenant ID** Unique identifier for your Azure AD tenant/directory **Client Secret** Password for the application (confidential clients only) **Redirect URI** URL where authentication responses are sent **API Permissions** Access scopes your app requests **Service Principal** Identity created in your tenant when you register an app ### Application Types Type Use Case **Web Application** Server-side apps, APIs **Single Page App (SPA)** JavaScript/React/Angular apps **Mobile/Native App** Desktop, mobile apps **Daemon/Service** Background services, APIs ## Core Workflow ### Step 1: Register the Application Create an app registration in the Azure portal or using Azure CLI. **Portal Method:** - Navigate to Azure Portal → Microsoft Entra ID → App registrations - Click "New registration" - Provide name, supported account types, and redirect URI - Click "Register" **CLI Method:** See [references/cli-commands.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/cli-commands.md) **IaC Method:** See [references/BICEP-EXAMPLE.bicep](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/BICEP-EXAMPLE.bicep) It's highly recommended to use the IaC to manage Entra app registration if you already use IaC in your project, need a scalable solution for managing lots of app registrations or need fine-grained audit history of the configuration changes. ### Step 2: Configure Authentication Set up authentication settings based on your application type. - **Web Apps**: Add redirect URIs, enable ID tokens if needed - **SPAs**: Add redirect URIs, enable implicit grant flow if necessary - **Mobile/Desktop**: Use `http://localhost` or custom URI scheme - **Services**: No redirect URI needed for client credentials flow ### Step 3: Configure API Permissions Grant your application permission to access Microsoft APIs or your own APIs. **Common Microsoft Graph Permissions:** - `User.Read` - Read user profile - `User.ReadWrite.All` - Read and write all users - `Directory.Read.All` - Read directory data - `Mail.Send` - Send mail as a user **Details:** See [references/api-permissions.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/api-permissions.md) ### Step 4: Create Client Credentials (if needed) For confidential client applications (web apps, services), create a client secret, certificate or federated identity credential. **Client Secret:** - Navigate to "Certificates & secrets" - Create new client secret - Copy the value immediately (only shown once) - Store securely (Key Vault recommended) **Certificate:** For production environments, use certificates instead of secrets for enhanced security. Upload certificate via "Certificates & secrets" section. **Federated Identity Credential:** For dynamically authenticating the confidential client to Entra platform. ### Step 5: Implement OAuth Flow Integrate the OAuth flow into your application code. **See:** - [references/oauth-flows.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/oauth-flows.md) - OAuth 2.0 flow details - [references/console-app-example.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/console-app-example.md) - Console app implementation ## Common Patterns ### Pattern 1: First-Time App Registration Walk user through their first app registration step-by-step. **Required Information:** - Application name - Application type (web, SPA, mobile, service) - Redirect URIs (if applicable) - Required permissions **Script:** See [references/first-app-registration.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/first-app-registration.md) ### Pattern 2: Console Application with User Authentication Create a .NET/Python/Node.js console app that authenticates users. **Required Information:** - Programming language (C#, Python, JavaScript, etc.) - Authentication library (MSAL recommended) - Required permissions **Example:** See [references/console-app-example.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/console-app-example.md) ### Pattern 3: Service-to-Service Authentication Set up daemon/service authentication without user interaction. **Required Information:** - Service/app name - Target API/resource - Whether to use secret or certificate **Implementation:** Use Client Credentials flow (see [references/oauth-flows.md#client-credentials-flow](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/oauth-flows.md#client-credentials-flow)) ## MCP Tools and CLI ### Azure CLI Commands Command Purpose `az ad app create` Create new app registration `az ad app list` List app registrations `az ad app show` Show app details `az ad app permission add` Add API permission `az ad app credential reset` Generate new client secret `az ad sp create` Create service principal **Complete reference:** See [references/cli-commands.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/cli-commands.md) ### Microsoft Authentication Library (MSAL) MSAL is the recommended library for integrating Microsoft identity platform. **Supported Languages:** - .NET/C# - `Microsoft.Identity.Client` - JavaScript/TypeScript - `@azure/msal-browser`, `@azure/msal-node` - Python - `msal` **Examples:** See [references/console-app-example.md](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/console-app-example.md) ## Security Best Practices Practice Recommendation **Never hardcode secrets** Use environment variables, Azure Key Vault, or managed identity **Rotate secrets regularly** Set expiration, automate rotation **Use certificates over secrets** More secure for production **Least privilege permissions** Request only required API permissions **Enable MFA** Require multi-factor authentication for users **Use managed identity** For Azure-hosted apps, avoid secrets entirely **Validate tokens** Always validate issuer, audience, expiration **Use HTTPS only** All redirect URIs must use HTTPS (except localhost) **Monitor sign-ins** Use Entra ID sign-in logs for anomaly detection ## SDK Quick References - **Azure Identity**: [Python](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/azure-identity-py.md) | [.NET](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/azure-identity-dotnet.md) | [TypeScript](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/azure-identity-ts.md) | [Java](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/azure-identity-java.md) | [Rust](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/azure-identity-rust.md) - **Key Vault (secrets)**: [Python](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/azure-keyvault-py.md) | [TypeScript](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/azure-keyvault-secrets-ts.md) - **Auth Events**: [.NET](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/sdk/microsoft-azure-webjobs-extensions-authentication-events-dotnet.md) ## References - [OAuth Flows](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/oauth-flows.md) - Detailed OAuth 2.0 flow explanations - [CLI Commands](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/cli-commands.md) - Azure CLI reference for app registrations - [Console App Example](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/console-app-example.md) - Complete working examples - [First App Registration](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/first-app-registration.md) - Step-by-step guide for beginners - [API Permissions](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/api-permissions.md) - Understanding and configuring permissions - [Troubleshooting](https://github.com/microsoft/github-copilot-for-azure/blob/HEAD/plugin/skills/entra-app-registration/references/troubleshooting.md) - Common issues and solutions ## External Resources - [Microsoft Identity Platform Documentation](https://learn.microsoft.com/entra/identity-platform/) - [OAuth 2.0 and OpenID Connect protocols](https://learn.microsoft.com/entra/identity-platform/v2-protocols) - [MSAL Documentation](https://learn.microsoft.com/entra/msal/) - [Microsoft Graph API](https://learn.microsoft.com/graph/) Weekly Installs103.0KRepository[microsoft/githu…or-azure](https://github.com/microsoft/github-copilot-for-azure)GitHub Stars157First SeenFeb 4, 2026Security Audits[Gen Agent Trust HubPass](/microsoft/github-copilot-for-azure/entra-app-registration/security/agent-trust-hub)[SocketPass](/microsoft/github-copilot-for-azure/entra-app-registration/security/socket)[SnykPass](/microsoft/github-copilot-for-azure/entra-app-registration/security/snyk)Installed ongithub-copilot102.9Kcodex387gemini-cli375opencode350amp338cursor338 --- *Source: https://skills.yangsir.net/skill/sm-entra-app-registration* *Markdown mirror: https://skills.yangsir.net/api/skill/sm-entra-app-registration/markdown*