Register the application
Sign in to the Microsoft Entra admin center.
Select Identity.
Select App registrations.
Select + New registration.
Enter Demo app as the name.
Leave all defaults.
Do not configure a redirect URI.
Select Register.
You are redirected to the Demo app overview.
Add a redirect URI and platform configuration
Select Authentication.
Select Add a platform.
Web.
SPA.
iOS/macOS.
Android.
Mobile and desktop.
Enter or generate redirect URIs as required.
Select Configure.
Add credentials
Credentials are used by confidential clients.
Add a certificate
Recommended for production.
File types: .cer, .pem, .crt.
Add a client secret
Select Certificates & secrets.
Select New client secret.
Enter a description.
Choose an expiration.
Select Add.
Record the secret value immediately.
Register a web API and expose scopes
Register the API as an app.
Skip redirect URI configuration.
Skip credentials unless calling downstream APIs.
Select Expose an API.
Set the Application ID URI.
Select Add a scope.
Example scope configuration
| Field | Example |
|---|---|
| Scope name | Employees.Read.All |
| Who can consent | Admins and users |
| Admin consent display name | Read employee records |
| User consent display name | Read your employee records |
Enable the scope and save.
Admin-only scope
Who can consent: Admins only.
No user consent fields.
Pre-authorize trusted client apps (Optional)
Under Authorized client applications, select Add.
Enter the client ID.
Select trusted scopes.
Save.
What happens behind the scenes
Application object is created.
Service principal is created.
Consent is granted.
Tokens are issued.
Unit 5 (Corrected): Configure permissions for an application
Authorization model overview
Applications using the Microsoft identity platform follow an OAuth 2.0–based authorization model that gives users and administrators control over how data is accessed.
Permissions define what an app can do, and consent defines who approves that access.
Scopes and permissions
Microsoft Graph: https://graph.microsoft.com
Outlook API: https://outlook.office.com
Azure Key Vault: https://vault.azure.net
Resources expose permissions that break functionality into smaller units.
Reading a calendar.
Writing calendar entries.
Sending email.
These permissions are called scopes in OAuth 2.0 and are represented as string values.
Permission types
Microsoft Entra ID supports two permission types.
Delegated permissions
Require a signed-in user.
App acts on behalf of the user.
Granted permissions.
User’s actual privileges.
Example: A user without admin rights cannot perform admin-level actions even if the app has been granted a high delegated permission.
Application permissions
No signed-in user.
Used by background services and daemons.
Always require admin consent.
Grant full access defined by the permission.
OpenID Connect scopes
| Scope | Purpose |
|---|---|
| openid | Required for sign-in. |
| Provides primary email if available. | |
| profile | Provides profile attributes. |
| offline_access | Enables refresh tokens. |
offline_access must be explicitly requested on v2.0.
SPAs always receive refresh tokens.
openid is mandatory for authentication.
Requesting user consent
Apps request permissions using the scope parameter in authorization requests.
Scopes are space-separated.
Consent is recorded after approval.
Users are not prompted again.
Certain permissions such as offline_access and user.read are automatically included.
Tenant-wide consent
Administrators can grant consent on behalf of all users, suppressing user consent prompts.
This is commonly done when onboarding enterprise applications.