Enterprise developers and software-as-a-service (SaaS) providers can develop commercial cloud services or line-of-business applications, that can be integrated with Azure Active Directory (Azure AD) to provide secure sign-in and authorization for their services. To integrate an application or service with Azure AD, a developer must first register the application with Azure AD.





Any application that wants to use the capabilities of Azure AD must first be registered in an Azure AD tenant. This registration process involves giving Azure AD details about your application, such as the URL where it’s located, the URL to send replies after a user is authenticated, the URI that identifies the app, and so on.





In the upcoming series of articles will see different 'grant_type' and which one to use for what scenario?

how to use in Daemon-Headless-App calling secure WebAPI - client_credentials/password_credentials

how to use in Windows-Forms-App calling secure WebAPI - code_credentials

how to secure WebApplication using Azure AAD

- OpenID Connect

how to call a secure

WebAPI

from WebApplication -

client_credentials/

code_credentials

how to call a secure

WebAPI

from SPA-App - implict_grant





App Registration in Azure Active Directory (AAD v1.0)

Application type

Web app / API

This is suitable for the application which requires or secured by "client secret key". Anyone/application which backed by AAD has this "Client Secret" can get authenticated and communication to configured API.

Native

This will be used whenever you

run this application under user context ()or while

publishing your apps for a Public domain. AAD provides an

iFrame to authenticate and send back the access token to the replay URL that should match with AAD pre-configured reply URL.

What is Application and Delegated Permissions in AAD

Application Permissions

- Used to access secure endpoint without user context.

- Used to access secure endpoint with ‘Client Secret’ token with 1 (or) 2 Years (or) Never expiry.

- Since there is no user context this requires admin consent.

- It's recommended to be used in trustable when you own/maintain the consuming application and its deployment (i.e. web application, WebAPI). Hence 'Client Secret' is available only for “WebAPI/WebApp” type in AAD App registration.

Delegated Permissions

- Used to access secure endpoint with user context.

- Mostly given for Native applications (i.e. Native Desktop clients & Mobile application) where it’s hosted and deployed on a different platform (or) not-trust able (or) public deployment zone.

How to provide API access to registered AAD v1.0 App

We can choose and provide permission for our AAD app, potentially access secure endpoints via this app.

When to Grant Admin Permission in AAD v1.0 App Registration

App required admin consent based on the permission you choose in access blade.





Notice: Grant admin permission is not required for "Require Admin - NO" permissions.