Skip to content

Register an application for a client that need access to api:s

Register a application to represent your client application in environments dev/test/staging and one to represent the production environment. Having separate apps for test and production restricts access to the production environment via testing credentials. (start with the test environment and complete the production registration when the app is ready for release)

Step 1 - Register new application

(Azure AD/App Registrations)

AD App registration

Click the "New Registration" button.

Give the application a name in format → {consuming system name}-api-client-[test | prod].

Example certiq-malmberget-api-client-test

Select Supported Account Type = "Accounts in this organizational directory only (LKAB only - Single tenant)"

Leave Redirect URL empty and click "Register"

Step 2 - Application URI/Audience

There is no need to give the application a human-readable Application ID URI as we are not going to refer to this application from other applications.

Step 3 - Authentication

(Azure AD/App Registrations/Authentication)

Add the redirect URI:s that will be used for this app. Avoid using implicit flow.
Note: No redirect URI is needed for the client credentials flow.

Add a redirect URI

Step 4 - API Permissions

(Azure AD/App Registrations/Api permissions)

First, if not needed, remove the User.Read permission. It is added by default but is usually not needed.

Then add the nessesary permissions to access API's. Click on Add a permission and search for the API.

Client request permissions

If the permissions are linked to the user select Delegated permissions and choose the Scope(s), any application roles for the user will be automatically added to the token.

Client request delegated permissions

If the permissions should be linked to this client (background service) without any user interaction choose to add Application permissions and select the role(s) that this client need to access the api:s. You probably need to get admin consent to grant the permission, please contact the API Management Team.

Client request application permissions

Step 5 - Certificates and secrets

(Azure AD/App Registrations/Certificates and secrets)

If this is a client for a background service it needs a secret to request tokens. Add a secret and give it a usefull name and keep the lifetime as short as possible. Also keep in mind not to "reuse" credentials, if a secret is needed for testing, add a new secret and remove it once the testing is done.

Client secrets

Microsoft Identity Platform

App permissions (delegated permissions)

Permissions and Consent

App scenarios and authentication flows

Access control

RBAC access control for application developers

Add app roles to your application

Libraries for getting and validating access tokens

Microsoft Authentication Library (MSAL)