Agent Skills Finder
M

entra-app-registration

by microsoft

Skill-backed guidance for Microsoft Entra ID app registration, OAuth 2.0 flows, API permissions, and MSAL-based authentication examples for console and backend apps.

Stars0
Favorites0
Comments0
CategoryAccess Control
Install Command
npx skills add https://github.com/microsoft/azure-skills --skill entra-app-registration
AzureAPISdkCliBackendDeveloper AudienceAutomation
Overview

Overview

What this skill does

The entra-app-registration skill provides step-by-step, developer-focused guidance for configuring Microsoft Entra ID (formerly Azure Active Directory) app registrations. It walks you through:

  • Creating app registrations in Microsoft Entra ID
  • Understanding key identity concepts (tenant, client ID, redirect URI, service principal)
  • Choosing and configuring OAuth 2.0 flows
  • Adding and managing API permissions (delegated vs application)
  • Setting up secrets or certificates and service principals
  • Integrating with MSAL and Azure Identity SDKs for multiple languages
  • Troubleshooting common authentication and configuration errors

The content is drawn from the skills/entra-app-registration folder in the microsoft/azure-skills repository, including dedicated guides such as references/first-app-registration.md, references/oauth-flows.md, references/api-permissions.md, and references/console-app-example.md.

Who should use entra-app-registration

Use this skill if you are:

  • A backend or API developer securing a web API or service with Microsoft Entra ID
  • A developer building web, SPA, desktop, or console apps that must sign in users or call Microsoft Graph or custom APIs
  • A DevOps or platform engineer who needs repeatable patterns for app registration and permissions
  • A team that wants documented best practices for Entra ID authentication and API permissions

It is especially useful when you are:

  • Creating your first Microsoft Entra app registration
  • Migrating from legacy Azure AD guidance to the Microsoft identity platform
  • Deciding between delegated vs application permissions
  • Choosing an OAuth 2.0 flow for your app type
  • Wiring up MSAL in a console or backend application

When this skill is not a good fit

entra-app-registration focuses on identity and app registration, not general Azure security or resource management.

Do not use this skill as your primary reference if you mainly need:

  • Azure role-based access control for Azure resources → use the azure-rbac skill
  • Key Vault secret lifecycle and expiration auditing → use the azure-keyvault-expiration-audit skill
  • Broader Azure resource security posture or policy guidance → use the azure-security skill

You can still combine entra-app-registration with those skills when your scenario covers both identity and resource-level authorization.

Key capabilities at a glance

Within the skill, you will find guides that help you:

  • Understand app registration building blocks (from SKILL.md and references/first-app-registration.md)
  • Configure OAuth 2.0 flows including authorization code and client credentials (references/oauth-flows.md)
  • Plan and assign API permissions for Microsoft Graph and custom APIs (references/api-permissions.md)
  • Follow Azure authentication best practices, including use of managed identities and recommended credentials (references/auth-best-practices.md)
  • Use Azure CLI to automate app registration creation and updates (references/cli-commands.md)
  • Implement MSAL-based console applications in C#, Python, and Node.js (references/console-app-example.md)
  • Integrate with Azure Identity SDKs for .NET, Java, Python, Rust, and TypeScript (references/sdk/*.md)
  • Diagnose redirect URI, token, and consent issues (references/troubleshooting.md)

This makes entra-app-registration a practical fit for access-control, API-development, and backend-development work that depends on Microsoft Entra ID.

How to Use

Installing the entra-app-registration skill

To add the entra-app-registration skill from the microsoft/azure-skills repository to a compatible agent environment, run:

npx skills add https://github.com/microsoft/azure-skills --skill entra-app-registration

This makes the skill’s documentation (including SKILL.md and the references/ folder) available to your agent so it can answer detailed questions about Microsoft Entra app registration, OAuth flows, and permissions.

If your platform exposes a UI for skills, you can also:

  1. Search for "entra-app-registration" in the skills catalog.
  2. Confirm the GitHub source is microsoft/azure-skills.
  3. Click Add or Enable to attach it to your workspace or project.

After installation, open the Files or Sources view for this skill and explore in this order:

  1. SKILL.md – High-level overview, what the skill covers, and use/don’t-use guidance.
  2. references/first-app-registration.md – A concrete, step-by-step tutorial for creating your first Microsoft Entra app registration in the Azure portal.
  3. references/oauth-flows.md – Explanations and diagrams of OAuth 2.0 flows supported by Microsoft Entra ID, with implementation notes.
  4. references/api-permissions.md – How to choose and configure delegated vs application permissions, scope formats, and common Graph permissions.
  5. references/auth-best-practices.md – How to pick the right credential type per environment (managed identity, certificates, DefaultAzureCredential for local, etc.).
  6. references/cli-commands.md – Azure CLI commands for creating and managing app registrations from scripts or CI/CD.
  7. references/console-app-example.md – Full working console app examples that authenticate with Microsoft Entra ID using MSAL.
  8. references/sdk/*.md – Language-specific integration guides using Azure Identity and related SDKs.
  9. references/troubleshooting.md – Look here when you see AADSTS errors, consent problems, or redirect URI mismatches.

This sequence helps you progress from conceptual understanding, to portal-based configuration, to automated workflows and code-level integration.

Typical workflows this skill supports

1. Registering your first Microsoft Entra app

Use when you are just starting with Entra ID or creating a new app:

  • Follow references/first-app-registration.md to:
    • Open the Azure portal and navigate to Microsoft Entra ID → App registrations
    • Create a new registration with the correct supported account types
    • Configure redirect URIs depending on whether you have a web app, SPA, or native client
    • Set up authentication options and platform configurations
    • Add necessary API permissions (e.g., Microsoft Graph User.Read)
    • Create client credentials (secrets or certificates) when needed
    • Test the authentication flow in your application

The skill’s step-by-step structure reduces common mistakes around redirect URIs, tenant selection, and account type selection.

2. Choosing the right OAuth 2.0 flow

Use when you are unsure which authentication flow to implement for a new app:

  • Open references/oauth-flows.md to compare flows, such as:
    • Authorization code flow for web apps and services with server-side secrets
    • Client credentials flow for daemon apps and background services
    • Other supported flows as illustrated in the guide
  • Each flow section outlines:
    • A numbered sequence of interactions between user, app, Microsoft Entra ID, and APIs
    • Important parameters like client_id, tenant, redirect_uri, and scope
    • The recommended use cases for that flow

By consulting this guide, you can align your app type (web, SPA, daemon, console) with the appropriate OAuth flow and implement it safely.

3. Configuring delegated vs application permissions

Use when your app must call Microsoft Graph or a custom API:

  • Open references/api-permissions.md to:
    • Understand delegated permissions (user context) vs application permissions (app-only context)
    • Decide when user consent is appropriate vs when admin consent is required
    • Learn the scope format, including Graph scopes like https://graph.microsoft.com/User.Read and custom API scopes like api://myapi-id/access_as_user
    • See how .default scopes work for client credentials and migration scenarios
  • Use this guidance to:
    • Configure API permissions in the app registration
    • Request the right scopes from your application code
    • Avoid over-permissioning and unnecessary admin consent requests

4. Automating app registration with Azure CLI

Use when you want to script or automate app registration instead of using the portal:

  • Open references/cli-commands.md for:
    • CLI prerequisites (az installation and az login)
    • Sample commands to create app registrations for:
      • Web applications with redirect URIs
      • Single Page Applications (SPA) with SPA redirect URIs
      • Public client apps (desktop/mobile)
      • Multi-tenant apps with different sign-in audience settings
    • Command snippets to update redirect URIs and other configuration

These examples can be adapted into shell scripts or CI/CD pipelines to ensure consistent app registration settings across environments.

5. Implementing MSAL in a console or backend app

Use when you need working code to authenticate and acquire tokens:

  • Open references/console-app-example.md to:
    • Set up a new console project (e.g., dotnet new console)
    • Install MSAL packages (e.g., Microsoft.Identity.Client for .NET)
    • Use complete sample programs that:
      • Configure ClientId, TenantId, and Scopes
      • Build a public client application instance
      • Acquire tokens interactively or silently from cache
      • Handle errors and print token results

You can copy these samples into your own project and replace placeholder values with your app registration details.

6. Using Azure Identity SDKs in various languages

Use when you want to use the Azure Identity libraries instead of calling MSAL directly:

  • Open the relevant language file from references/sdk/, such as:
    • azure-identity-dotnet.md
    • azure-identity-java.md
    • azure-identity-py.md
    • azure-identity-rust.md
    • azure-identity-ts.md
  • These guides align with references/auth-best-practices.md and explain how to:
    • Use DefaultAzureCredential for local development
    • Prefer ManagedIdentityCredential or workload identity in production
    • Configure environment-based credentials where appropriate

This helps you integrate app registrations with modern Azure SDK authentication patterns.

7. Troubleshooting common authentication issues

Use when you encounter typical Microsoft Entra ID errors:

  • Open references/troubleshooting.md to diagnose problems such as:
    • Redirect URI mismatches (e.g., AADSTS50011)
    • Invalid or expired client secrets
    • Permission and consent errors when calling APIs
    • Token validation and configuration issues
  • The guide includes:
    • Error message samples
    • Root cause explanations
    • Concrete actions, including Azure portal steps and Azure CLI commands

This can save time when debugging authentication and authorization failures in development or production.

Best practices and fit with other skills

Within references/auth-best-practices.md, the skill emphasizes:

  • Using managed identities plus Azure RBAC for production workloads hosted on Azure
  • Using DefaultAzureCredential primarily for local development, not production
  • Choosing targeted credentials (like ManagedIdentityCredential, ClientCertificateCredential, or workload identity) per environment for predictability and performance

Combine entra-app-registration with:

  • azure-rbac when you need to authorize access to Azure resources once your identity is configured
  • azure-keyvault-expiration-audit when you need to manage and audit secrets for client credentials stored in Key Vault
  • azure-security for broader security posture, policies, and compliance

FAQ

What problems does entra-app-registration solve?

entra-app-registration solves the practical setup and configuration issues that arise when you first work with Microsoft Entra ID app registrations. It gives structured guidance on how to:

  • Create an app registration correctly in the portal or via CLI
  • Choose account types and OAuth flows appropriate to your app
  • Configure redirect URIs, secrets, certificates, and service principals
  • Add the right API permissions and scopes for Microsoft Graph or custom APIs
  • Integrate MSAL and Azure Identity into real applications
  • Troubleshoot common error codes and misconfigurations

How do I install the entra-app-registration skill?

You install the skill from the microsoft/azure-skills repository. In a compatible environment, run:

npx skills add https://github.com/microsoft/azure-skills --skill entra-app-registration

After installation, the skill’s files (including SKILL.md and the references/ directory) are available to your agent, allowing it to answer questions about Microsoft Entra app registration and authentication.

Which files should I look at first after installing?

Start with:

  • SKILL.md – for the overall scope and guidance
  • references/first-app-registration.md – for a portal-based step-by-step setup
  • references/oauth-flows.md – to understand the correct OAuth 2.0 flow for your scenario
  • references/api-permissions.md – to choose and configure API permissions

Then, depending on your needs, follow up with references/cli-commands.md for automation, references/console-app-example.md for sample code, and references/troubleshooting.md for error resolution.

Does this skill help with Azure RBAC or resource roles?

Only indirectly. entra-app-registration focuses on app identity, OAuth flows, and API permissions. It does not cover Azure resource role assignments or RBAC configuration in depth. For that, you should pair it with the azure-rbac skill.

Can I use entra-app-registration with non-Microsoft clouds?

The skill is specifically about Microsoft Entra ID and the Microsoft identity platform. While the OAuth 2.0 concepts are general, the configuration steps, commands, and examples are targeted at Azure and Microsoft Entra ID tenants.

Is there code for multiple languages?

Yes. references/console-app-example.md provides console app examples in C#, Python, and Node.js using MSAL. Additionally, the references/sdk/ folder contains language-specific documents for Azure Identity libraries in .NET, Java, Python, Rust, and TypeScript.

How does this skill relate to Azure Key Vault usage?

entra-app-registration touches on authentication best practices and may mention storing secrets securely, but it does not provide full Key Vault secret lifecycle coverage. For auditing expiration and managing Key Vault secrets in depth, use the azure-keyvault-expiration-audit skill alongside this one.

What if I already have app registrations but they are misconfigured?

You can use references/troubleshooting.md to diagnose errors, then:

  • Compare your current app registration settings with the patterns in references/first-app-registration.md and references/oauth-flows.md
  • Fix redirect URIs, permissions, and secrets as guided
  • Validate your code against examples in references/console-app-example.md and the SDK documents

The skill is useful both for greenfield setups and for correcting existing configurations.

Where can I see all available documents in this skill?

Open the Files or Sources tab for the entra-app-registration skill in your environment. You can explore:

  • SKILL.md
  • The references/ folder for topic-specific guides (API permissions, OAuth flows, CLI commands, console examples, troubleshooting)
  • The references/sdk/ subfolder for language-specific Azure Identity examples

Browsing this tree gives you a complete view of all the guidance packaged in the skill.

Ratings & Reviews

No ratings yet
Share your review
Sign in to leave a rating and comment for this skill.
G
0/10000
Latest reviews
Saving...