How to configure Azure App registration for MS Graph

How to configure Azure App registration for MS Graph

App registration for MS Graph are really powerful, as you can raise any request if granted. In this article, I want to illuminate, what is an app registration. For what can it be used and what are the boundaries. After setting a common understanding, I want to share you my considerations about the security of app registrations. At the end of the article you’ll also be able to understand how to create an app registration with the right permissions for MS Graph

Before we start highlighting this topic, let’s answer the following question:

What is an app registration in Azure Active Directory?

Text with "What is an App registration?" with an iPhone in the background

An app registration in Azure Active Directory is an authentication and authorization layer to access Microsoft cloud services.

If we want to impersonate or use our scripts as a backend automation e.g., to get SharePoint Sites with Microsoft Graph, we need to ensure, that we have set up an app registration in Azure Active Directory. The app registration and the resulting enterprise application provides us the ability to authenticate to Microsoft’s cloud services and also to authorize us for the actions we need to trigger. Means we are not dependent to a functional account like a service user, if we want to run this code as an application, with no human interaction.

  • You can configure the app to run in the background – This would be considered as an app with “application permission”.
  • On the other hand you can configure app, which impersonate someone – Here you would take “delegated permission”

Considerations about app registration in Azure Active Directory

In this section I want to give you an overview, what to consider in terms of security of app registration in Azure Active Directory

Permissions to create App registration for MS Graph

To create an app registration for MS Graph, you need the proper permissions for your user account. By default, every user has the permission to create app registrations in the tenant. If you want to restrict this, you should change this setting below User settings page for your organization (azure.com).

A screenshot of the app registration permission for users in Azure Portal

Even if every user is able to create an app registration, they require the requested permission granted by a global administrator for some special permissions. So it is actually not a bad idea to let the users preconfigure their apps.

What permissions can be granted with an app registration in azure active directory?

Before we set up an application registration, we need to think about the security requirements of our organization, and we should answer us the questions accordingly. Since you will be able to have a big impact on the tenant, I suggest you to consult also the security department of your organization to be on the safe side.

  • Will this script run in the background e.g., as a Scheduled Task / Runbook in an Azure Automation Account or will this script used by personnel, which can interact with the script and which are granted permission to the content.
    • If human interaction is OK, we should design the register the application as delegated permissioned application
  • Does any security requirement/ guide/ policy restricts me to use an enterprise application?
    • If yes, we should think about an application registration with delegated permissions.

In general, I would strongly encourage you to think about your solution, before you start delegating application permission to your application registration. If any malicious user gets access to the application ID and application secret, he will be able to raise any action in your tenant for the defined set of the permission.

How to create an App registration for MS Graph?

To create an app registration, you need to browse to Azure Portal:
Register an application – Microsoft Azure

If you encounter this, your administrator has restricted the permission to create apps:

Screenshot of access denied page when creating an app registration

Otherwise, you should see this:

Screenshot of register an application in azure portal

Based on your use case you have the ability to create different supported account types

TypeUse case

Accounts in this organizational directory only (Contoso only – Single tenant)
If your app will be used to access resources within your tenant, this is the way to go
Accounts in any organizational directory (Any Azure AD directory – Multitenant)If your app will be used to access resources across your tenant, this is the way to go. This might make sense if your organization is a software provider and wants to grant access to the customer.
Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)If your app will be used to access resources across your tenant, this is the way to go. This might make sense if your organization is a software provider and wants to grant access to the customer. In addition you enable users to make use of different identity providers.
Personal Microsoft accounts onlyIf your app is a consumer faced app, this is the way to go. Not suitable for b2b or inter organizational use.

In my case I am looking forward to get all SharePoint Sites in my SharePoint tenant.

App registration for MS Graph

How to grant the least privilege Permission to the Azure Application?

As per Microsoft documentation, following permissions are required get all sites:

PermissionDisplay StringDescriptionAdmin Consent Required
Sites.Read.AllRead items in all site collectionsAllows the app to read documents and list items in all site collections without a signed in user.Yes
Sites.ReadWrite.AllRead and write items in all site collectionsAllows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.Yes
Sites.Manage.AllCreate, edit, and delete items and lists in all site collectionsAllows the app to manage and create lists, documents, and list items in all site collections without a signed-in user.Yes
Sites.FullControl.AllHave full control of all site collectionsAllows the app to have full control to SharePoint sites in all site collections without a signed-in user.Yes
Sites.SelectedAccess selected site collectionsAllow the application to access a subset of site collections without a signed in user.  The specific site collections and the permissions granted will be configured in SharePoint Online.Yes

I am designing the Azure Application to run in the background, therefore I am choosing the Application Permission type and as I am targeting least privilege, I am using Sites.Read.All.

In the following example, I am targeting to configure an Application Permission with Sites.Read.All premission.

In order to configure it, switch to the API Permission blade.

API Permission Blade of the App Registration

To add the permission, click on add permission

Add a permission screenshot of an app registration

As I want to add Graph permissions, I am clicking on Microsoft Graph.

App registration for MS Graph

Now you can select between Delegated and Application Permission. In my case I am using Application permissions.

App registration for MS Graph

By searching for sites, I am getting to the sites permission section. Follow the enumeration in red circles to add the permission.

Screenshot of Sites.Read.All Permission

Now you need to ensure, that the global administrator in your organization grants the permission for the organization, for which you are requesting the permission. In my example, I am requesting the permission for my organization and as I am the global administrator, I am able to directly grant the permission.

App registration for MS Graph with a hint how to grant permission for the current tenant

This is how it looks like, once the permissions for the designated organisation is granted.

Screenshot of granted permission

In order to use the app registration, you need to configure the app secret or credential part.

This can be done in the Credential & secrets blade of your azure app registration.

Screenshot of Certificates & secrets link

Now you have the option, either to create a certificate or secret.

I have used the Microsoft documentation to create a self signed certificate. Microsoft recommends to make use of a certificate authority for security purposes.

Create a self-signed public certificate to authenticate your application – Microsoft Entra | Microsoft Learn

Uploaded Certificate for the Azure App registration

With the uploaded certificate, I can now make use of the Azure App registration to get all sites.

You can see below, that I was able to authenticate with my application and fetch all sites.

Further reading:

Authentication and authorization basics – Microsoft Graph | Microsoft Docs

2 thoughts on “How to configure Azure App registration for MS Graph”

  1. Pingback: Assign Sensitivity Labels in SharePoint PowerShell Graph API

  2. Pingback: Get SharePoint files with MSGraph (PowerShell)

Leave a Comment