SaaS Security Administrator's Guide
    : Register an Azure AD Client Application
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security Posture Management
    5. Onboard SaaS Apps Supported by SSPM
    6. Register an Azure AD Client Application
    Download PDF

    SaaS Security Administrator's Guide

    Register an Azure AD Client Application

    Table of Contents

    Register an Azure AD Client Application

    To enable SSPM to access information through the Microsoft Graph API, you register a client app in Azure.
    For certain Microsoft applications, SSPM performs its configuration scans by accessing the Microsoft Graph API. To enable SSPM to access this API, you create a client application in Azure AD with the necessary permissions, and allow access to the application to users in your organization. During onboarding, SPPM prompts for the Client ID that uniquely identifies your application.
    1. Identify the administrator account that you will use to register the client application in Azure.
      Required Permissions
      : The account must have Global Admin privileges.
    2. Open a web browser to the Azure portal, and log in to the administrator account.
    3. Navigate to the App registrations page. To quickly navigate to this page, enter
      App registrations
       in the search field at the top of the page.
    4. + New registration
      .
    5. On the Register an application page, specify a name for the application and select
      Accounts in this organizational directory only
       as the supported account types that can access the application.
      The Register an application page contains an optional field for a redirect URI. Leave this field empty.
    6. Register
       the application.
      The browser displays a configuration page for your application.
    7. From the configuration page, copy the application's Client ID and paste it into a text file.
      Do not continue to the next step unless you have copied the Client ID. You will provide this information to SSPM during the onboarding process.
    8. Configure the application to be a public client application.
      1. From the left navigation pane, navigate to the
        Authentication
         settings.
        In the Advanced settings section of the Authentication page, Set
        Allow public client flows
         to
        Yes
        .
      2. Save
         your changes.
    9. Configure permissions to enable SSPM to read your organization's directory data.
      1. From the left navigation pane, navigate to the
        API permissions
         settings.
      2. + Add a permission
         to open the Request API permissions page.
      3. On the Microsoft APIs tab of the Request API permissions dialog, select
        Microsoft Graph
        .
      4. Select
        Delegated permissions
        .
      5. From the list of permissions, select the
        Directory.Read.All
         permissions. To easily locate these permissions, use the search field to filter the list of permissions.
      6. Add permissions
        .
    10. On the Configured permissions page,
      Grant admin consent for
      <your-organization>
      .
      A confirmation dialog displays. Select
      Yes
       in the dialog to confirm that users in your organization who access this application are granted
      Directory.Read.All
       permissions.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.