Azure Application Registration for API Access
Steps to register an application in Azure Active Directory for accessing APIs like Microsoft Graph and Azure Management.
🔧 Azure Application Registration for API Access
This guide provides the steps to register and configure an application in Azure Active Directory (Azure AD) to access Microsoft APIs (like Microsoft Graph) or Azure Management APIs. This is often required for applications or services that need to interact with Azure resources or Microsoft 365 data programmatically.
✅ Step 1: Open Configview Secrets
Go to the Configview Secrets page using the following link:
Keep this page handy as you will be copying values to here.
✅ Step 2: Retrieve Microsoft Tenant ID from Azure AD
- Navigate to Microsoft Entra ID in the Azure Portal using this link: Microsoft Entra ID Overview
- Copy the Tenant ID from the Overview page.
- Return to the Configview Secrets page (from Step 1).
- Paste the copied Tenant ID into the
MSFT_TENANT_IDvalue section. Do not change the key! - Save the changes in Configview.
✅ Step 3: Register an Application in Azure AD
- Go back to the Azure Portal.
- Navigate to Microsoft Entra ID.
- Select App registrations from the left-hand menu.
- Click New Registration.
- Enter a Name for the application (e.g.,
Configview). - Choose the Single tenant – Only your organization’s users/accounts can use it.
- (Optional) Set a Redirect URI (required for user authentication flows, not typically for service-to-service API calls using client credentials).
- Click Register.
✅ Step 4: Generate Client Credentials
Credentials are required for your application to authenticate itself to Azure AD and access APIs. Client secrets are one common method.
- Navigate to Certificates & Secrets in your application settings menu.
- Under Client Secrets, click New Client Secret.
- Provide a Description (e.g.,
Configview). - Set an Expiration period (e.g., 1 year, 2 years, Never - Never is not recommended for security reasons).
- Click Add.
Immediately copy the Value of the secret.This value will not be visible again after you leave this page. You will need to create another one if you need it again. Store it securely. You do not need the Secret ID.
✅ Step 5: Configure API Permissions You have to do this
-
In your newly registered application, navigate to API Permissions from the left-hand menu.
-
Click Add a permission.
-
Choose the appropriate API: For users, groups, applications, devices use:
- Microsoft Graph (for Office 365 services such as SharePoint, Teams, and Users).
- Application permissions (if the app runs as a background service without a signed-in user).
When adding the scopes you can scroll and select or you can copy the scopes below and select. it save stime.
Optional Scopes:
Once done click Grant admin consent
You are now ready to start ingesting data into configview.
Azure data
You’ll need to do this for each subscription.
note: you may be able to do this at the tenant root group
Assign the “Reader” role to your Service Principal at the Root Management Group scope:
- Go to “Management Groups”.
- Select your Root Management Group.
- Go to “Access control (IAM)”.
- Click “Add” -> “Add role assignment”.
- Role: Select “Reader”.
- Assign access to: Select “User, group, or service principal”.
- Members: Search for the name of your Azure AD application registration (Service Principal) and select it.
- Save the role assignment.
If you are wishing to get azure data you need to add an additional scope:
in configview secrets MSFT_AZURE_SCOPE in key and in value:
-
Click Add a permission.
-
Choose the appropriate API: For users, groups, applications, devices use:
- Azure Service Management (for Office 365 services such as SharePoint, Teams, and Users).
- Delegated Permissions permissions (if the app runs as a background service without a signed-in user).
When adding the scopes you can scroll and select or you can copy the scopes below and select. it save stime.