Microsoft Entra is an identity platform that provides a unified way to manage and secure access to applications and resources. It is designed to help organizations manage their identities and access to applications and resources in a more secure and efficient way. Entra ID is the backbone for identity and access management in the Microsoft Cloud, including Microsoft 365 and Azure.
In this primer, we will focus on how applications integrate with Entra ID, specifically within Enterprise Applications and App Registration using Open ID Connect (OIDC). While the topic of Entra ID is vast, we’re going to focus on the basics to get you started for those starting to build applications that integrate with Entra ID.
If you’re an application architect, developer, or IT professional looking to understand how applications integrate with Entra ID, this primer is for you.
Table of Contents
- What is Entra ID?
- Why Integrate with Entra ID?
- App Registration
- Consent Flow
- Admin Consent
- Enterprise Applications
- Applications and Service Principals
- Applications from another Tenant
- Key Terminology and Concepts
What is Entra ID?
While Entra itself is a brand and collection of identity related services from Microsoft, Entra ID is the identity service that provides authentication and authorization for applications. It is built on top of the OpenID Connect (OIDC) and OAuth 2.0 protocols, which are industry standards for secure authentication and authorization.
Entra ID is the core of what Microsoft 365, Azure, Dynamics 365, and other Microsoft services use for identity and access management.
I’m over simplifying here, but think of Entra ID as the place where user, group, and application identities are stored and managed.
Why Integrate with Entra ID?
According to Statista: “Microsoft 365 is used by over a million companies worldwide, with over one million customers in the United States alone using the office suite software”
Needless to say, that’s a lot of organizations using Microsoft 365. If you’re building an application that needs to interact with Microsoft 365 services, you’ll need to integrate with Entra ID.
App Registration
When you build an application that needs to integrate with Entra ID, you’ll need to register your application with Entra ID. This process is known as App Registration.
App Registration is the process of creating an entry for your application in Entra ID. This entry contains information about your application, such as its name, the URL where it is hosted, and the permissions it requires to access resources in Entra ID.
The App Registration is where it all begins. This is where the developers and IT professionals define the application’s identity, permissions, and other settings that are required for the application to interact with Entra ID. However, it’s important to note that the App Registration doesn’t immediately grant access to resources.
When the App Registration is created and then incorporated into the application, the application can then authenticate with Entra ID and request access to resources.
However, the user must still consent to the application’s request for access to resources. This is known as the consent flow.
Consent Flow
The consent flow is the process by which a user grants an application permission to access resources on their behalf. When an application requests access to resources, the user is prompted to consent to the application’s request. This is typically done through a consent screen that displays the permissions the application is requesting.
The consent flow is an important part of the authentication and authorization process, as it ensures that users are aware of the permissions they are granting to an application. It also gives users the ability to revoke access to resources if they no longer want the application to have access.
Just because the user is presented with a consent screen doesn’t mean they can actually consent to what’s being requested. Depending on the permissions requested, it may require an administrator to consent on behalf of the organization. This is known as admin consent.
Admin Consent
Admin consent is the process by which an administrator grants an application permission to access resources on behalf of the organization. This is typically required for applications that request permissions that affect the entire organization, such as the ability to read all user profiles or create new users.
Enterprise Applications
Once an application has been given consent, it can be registered as an Enterprise Application. An Enterprise Application is a representation of an application in Entra ID that has been granted access to resources. It contains information about the application, such as its name, the permissions it has been granted, and the users and groups that have access to the application.
If you’re building an application directly for your organization, you’ll have both an App Registration and an Enterprise Application. The App Registration is the entry for your application in Entra ID, while the Enterprise Application is the representation of your application in Entra ID that has been granted access to resources.
Applications and Service Principals
When an application is registered in Entra ID, it is represented by two objects: an Application object and a Service Principal object. The Application object represents the application itself, while the Service Principal object represents the application’s identity in Entra ID.
The Application object contains information about the application, such as its name, the URL where it is hosted, and the permissions it requires. The Service Principal object contains information about the application’s identity, such as its client ID and client secret.
When an application authenticates with Entra ID, it does so using the Service Principal object. The Service Principal object is used to obtain access tokens that the application can use to access resources in Entra ID.
Applications from another Tenant
If you’re building an application that needs to access resources in another tenant, you’ll need to register your application in that tenant. This is known as a multi-tenant application.
When you register your application as a multi-tenant application, it can be used by users in any tenant. However, users in other tenants will need to consent to the application’s request for access to resources.
Key Terminology and Concepts
Before we dive into the details of how applications integrate with Entra ID, let’s first cover some key terminology and concepts that you need to be familiar with.