: Register an Azure AD Client Application
Focus
Focus

Register an Azure AD Client Application

Table of Contents

Register an Azure AD Client Application

To enable SSPM to access information through the Microsoft Graph API, you register a client app in Azure.
For certain Microsoft applications, SSPM performs its configuration scans by accessing the Microsoft Graph API. To enable SSPM to access this API, you create a client application in Azure AD with the necessary permissions, and allow access to the application to users in your organization. During onboarding, SPPM prompts for the Client ID that uniquely identifies your application.
  1. Identify the administrator account that you will use to register the client application in Azure.
    Required Permissions: The account must have Global Admin privileges.
  2. Open a web browser to the Azure portal, and log in to the administrator account.
  3. Navigate to the App registrations page. To quickly navigate to this page, enter App registrations in the search field at the top of the page.
  4. + New registration.
  5. On the Register an application page, specify a name for the application and select Accounts in this organizational directory only as the supported account types that can access the application.
    The Register an application page contains an optional field for a redirect URI. Leave this field empty.
  6. Register the application.
    The browser displays a configuration page for your application.
  7. From the configuration page, copy the application's Client ID and paste it into a text file.
    Do not continue to the next step unless you have copied the Client ID. You will provide this information to SSPM during the onboarding process.
  8. Configure the application to be a public client application.
    1. From the left navigation pane, navigate to the Authentication settings.
      In the Advanced settings section of the Authentication page, Set Allow public client flows to Yes.
    2. Save your changes.
  9. Configure permissions to enable SSPM to read your organization's directory data.
    1. From the left navigation pane, navigate to the API permissions settings.
    2. + Add a permission to open the Request API permissions page.
    3. On the Microsoft APIs tab of the Request API permissions dialog, select Microsoft Graph.
    4. Select Delegated permissions.
    5. From the list of permissions, select the Directory.Read.All permissions. To easily locate these permissions, use the search field to filter the list of permissions.
    6. Add permissions.
  10. On the Configured permissions page, Grant admin consent for <your-organization>.
    A confirmation dialog displays. Select Yes in the dialog to confirm that users in your organization who access this application are granted Directory.Read.All permissions.