Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance.
Installation
Summary
Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance.
Web Apps: Add redirect URIs, enable ID tokens if needed
SPAs: Add redirect URIs, enable implicit grant flow if necessary
Mobile/Desktop: Use http://localhost or custom URI scheme
Services: No redirect URI needed for client credentials flow
SKILL.md
Overview
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. App registrations allow applications to authenticate users and access Azure resources securely.
Key Concepts
Concept
Description
App Registration
Configuration that allows an app to use Microsoft identity platform
Application (Client) ID
Unique identifier for your application
Tenant ID
Unique identifier for your Azure AD tenant/directory
Client Secret
Password for the application (confidential clients only)
Redirect URI
URL where authentication responses are sent
API Permissions
Access scopes your app requests
Service Principal
Identity created in your tenant when you register an app
Application Types
Type
Use Case
Web Application
Server-side apps, APIs
Single Page App (SPA)
JavaScript/React/Angular apps
Mobile/Native App
Desktop, mobile apps
Daemon/Service
Background services, APIs
Core Workflow
Step 1: Register the Application
Create an app registration in the Azure portal or using Azure CLI.
Portal Method:
Navigate to Azure Portal → Microsoft Entra ID → App registrations
Click "New registration"
Provide name, supported account types, and redirect URI
It's highly recommended to use the IaC to manage Entra app registration if you already use IaC in your project, need a scalable solution for managing lots of app registrations or need fine-grained audit history of the configuration changes.
Step 2: Configure Authentication
Set up authentication settings based on your application type.
Web Apps: Add redirect URIs, enable ID tokens if needed
SPAs: Add redirect URIs, enable implicit grant flow if necessary
Mobile/Desktop: Use http://localhost or custom URI scheme
Services: No redirect URI needed for client credentials flow
Step 3: Configure API Permissions
Grant your application permission to access Microsoft APIs or your own APIs.
For confidential client applications (web apps, services), create a client secret, certificate or federated identity credential.
Client Secret:
Navigate to "Certificates & secrets"
Create new client secret
Copy the value immediately (only shown once)
Store securely (Key Vault recommended)
Certificate: For production environments, use certificates instead of secrets for enhanced security. Upload certificate via "Certificates & secrets" section.
Federated Identity Credential: For dynamically authenticating the confidential client to Entra platform.
Step 5: Implement OAuth Flow
Integrate the OAuth flow into your application code.