Why and How applications are added to Azure AD? Scenarios, types of permissions, consent, scopes
In today’s interconnected world, identity and access management (IAM) are crucial for securing sensitive data and resources. To achieve this, various platforms such as Azure AD and Microsoft Identity Platform (MIP) provide mechanisms to control access to applications and services.
In this blog, we will explore the fundamentals of how applications are added to Azure AD, and then delve into the permission and access in Graph MIP. Finally, we will look into some access scenarios, types of permissions, consent, scopes.
Why and how applications are added to Azure AD?
Azure AD is a cloud-based IAM service provided by Microsoft. It enables organizations to manage user identities and control access to resources. Azure AD can also integrate with various cloud-based and on-premises applications to provide Single Sign-On (SSO) functionality.
Applications can be added to Azure AD in two ways. The first is through the Azure AD app gallery, where Microsoft and its partners have pre-integrated applications that organizations can easily add to their tenant. The second way is through custom integration using the Azure AD application registration portal.
To register a custom application, the first step is to have an Azure AD tenant, which is a directory of users, groups, devices, applications and etc. Once the tenant is created, we can register an application by providing details such as the name, website, and application type. We can also configure authentication and authorization settings, which are used to control access to the application.
Authentication settings determine how users will authenticate to the application. Azure AD supports various authentication methods such as SAML, OAuth 2.0, OpenID Connect, and WS-Federation. Authorization settings determine who can access the application and what level of access they have. We can configure roles and permissions using Azure AD’s role-based access control (RBAC) feature to grant users access to specific resources within the application.
What Type of applications can you register
OAuth defines two types of clients: confidential clients and public clients.
Confidential clients are applications that are able to securely authenticate with the authorization server, for example a Web Server or…