Skip to content

Register an application for an API to set permissions

Register a application to represent your back-end api:s in environments dev/test/staging and one to represent the production environment. Having separate apps for test and production restricts access to the production environment via testing credentials. (start with the test environment and complete the production registration when the app is ready for release)

Step 1 - Register new application

(Azure AD/App Registrations)

AD App Registration

Click the "New Registration" button.

Give the application a name in format → <application short name>-api-<enviornment>.

Example certiq-malmberget-api-test

Select Supported Account Type = "Accounts in this organizational directory only (LKAB only - Single tenant)"

Leave Redirect URL empty and click "Register"

Click Branding & Properties in the left column and give the application an internal comment.

Example Application to control access to the Epiroc Certiq API:s deployed in Malmberget

Step 2 - Application URI/Audience

Give the application a human-readable Application ID URI to make it easier to identify. This value will later be use to verify access to the api.

App Registration URI

Click "Add an Application ID URI" and enter a name in the below format.

  • dev/test/staging → https://test.api.lkab.com/<application short name>
  • prod → https://api.lkab.com/<application short name>

Example https://test.api.lkab.com/certiq-malmberget

The URI does not have to match the actual URI to access the api:s.

Step 3 - API Permissions

(Azure AD/App Registrations/API Permissions)

Azure adds requested permission to the User.Read graph api but that is usually not needed for the api application and could be removed.

Remove user read

If the api need to call other api:s, add these permissions here to allow the api to request tokens to these other applications.

Step 4 - Expose an API

(Azure AD/App Registrations/Expose an API)

Scopes

Add any scopes; if you do not have any required scopes use the application's short name as a default scope (at least one scope is required to make the admin consent flow to work).

Add scope

Step 5 - Application Roles

(Azure AD/App Registrations/Roles)

Atleast one role is needed to be able to control acccess to the api.

Roles

Prefix the role name with the application's short name to make it possible to identify the application-specific roles in the access token.

Add Role

Example: certiq-malmberget-readers

Microsoft Identity Platform

App permissions (delegated permissions)

Permissions and Consent

App scenarios and authentication flows

Access control

RBAC access control for application developers

Add app roles to your application

Libraries for getting and validating access tokens

Microsoft Authentication Library (MSAL)