entra-app-registration
**WORKFLOW SKILL** — Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. WHEN: "create app registration", "register Azure AD app", "configure OAuth", "add API permissions", "generate service principal", "MSAL example", "Entra ID setup". DO NOT USE FOR: Azure RBAC (azure-rbac), Key Vault audits (azure-compliance), resource security scanning (azure-compliance).
71
86%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Entra App Registration
Microsoft Entra ID (formerly Azure AD) is Microsoft's cloud identity and access-management service. This skill guides app registration, OAuth 2.0 flows, and MSAL integration.
For key concepts, application types, and the 3 common patterns (first-time
registration, console app with user auth, service-to-service), read
references/common-patterns.md.
Rules
- Prefer IaC for managing app registrations when the project uses IaC, scales to many apps, or needs audit history (see
references/BICEP-EXAMPLE.bicep) - Prefer certificates or federated identity credentials over client secrets in production
- Store client secrets in Key Vault — never commit them; rotate regularly; copy the value immediately on creation (only shown once)
- Grant least-privilege API permissions — only the scopes the app actually uses
- CLI for ad-hoc, IaC for production — see
references/cli-commands.md - Out of scope: Azure RBAC (azure-rbac), Key Vault audits (azure-compliance), resource security scanning (azure-compliance)
Core Workflow
Five-step procedure (full per-step detail in
references/core-workflow.md):
- Register the Application — portal, CLI (
cli-commands.md), or IaC (BICEP-EXAMPLE.bicep) - Configure Authentication — redirect URIs / token settings per app type
- Configure API Permissions — Graph and custom-API scopes (
api-permissions.md) - Create Client Credentials — secret / certificate / federated identity (Key Vault)
- Implement OAuth Flow — code integration (
oauth-flows.md,console-app-example.md)
Microsoft Authentication Library (MSAL)
Recommended library for integrating with the Microsoft identity platform:
- .NET / C# —
Microsoft.Identity.Client - JavaScript / TypeScript —
@azure/msal-browser,@azure/msal-node - Python —
msal
Examples: references/console-app-example.md.
SDK quick references in references/sdk/ (azure-identity + key-vault, per language).
Security Best Practices
Never hardcode secrets · rotate regularly · prefer certificates over secrets in production · least-privilege API permissions · enable MFA · use managed identity for Azure-hosted apps · validate tokens (issuer / audience / expiration) · HTTPS-only redirect URIs (per the canonical security baseline) · monitor sign-ins via Entra ID logs.
Full details in
references/auth-best-practices.md.
Reference Index
| Reference | When to Load |
|---|---|
references/common-patterns.md | Key concepts, app types, 3 common registration patterns |
references/core-workflow.md | Full per-step procedure for app registration |
references/api-permissions.md | Graph and custom-API permission configuration |
references/auth-best-practices.md | Detailed security best practices |
references/cli-commands.md | Azure CLI reference for app registrations |
references/console-app-example.md | Complete working code examples (multiple languages) |
references/first-app-registration.md | Step-by-step guide for beginners |
references/oauth-flows.md | Detailed OAuth 2.0 flow explanations |
references/troubleshooting.md | Common issues and solutions |
references/BICEP-EXAMPLE.bicep | Bicep template for IaC-managed app registration |
references/sdk/*.md | Language-specific SDK quick references |
- Repository
- jonathan-vella/azure-agentic-infraops
- Commit
05d7617
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.