Workload Identities & App ManagementApp Registrations & API Permissions

App Registrations & API Permissions

30 mins

Understanding the Concept

App registrations define the identity configuration for applications that integrate with Microsoft Entra ID. When you register an app, you configure its authentication settings, redirect URIs, API permissions, and credentials (secrets or certificates).

API permissions come in two types: Delegated permissions (act on behalf of a signed-in user) and Application permissions (act as the app itself without a user). Application permissions are more powerful and require admin consent.

User and admin consent controls whether users can grant permissions to apps themselves or require administrator approval. Configuring consent policies properly balances user productivity with security governance.

Key Points

App registration: Identity configuration (client ID, redirect URIs, credentials)
Delegated permissions: App acts on behalf of signed-in user
Application permissions: App acts independently, more powerful
Admin consent: Required for high-privilege or application permissions
User consent: Configurable - allow, restrict, or require admin review

App Registration Components

Step 1

Create registration with redirect URIs and platform config

Step 2

Credentials

Add client secret or certificate for authentication

Step 3

API Permissions

Configure delegated or application permissions to APIs

Step 4

Consent

Admin grants consent for requested permissions

Step 5

App Roles

Define custom roles for fine-grained authorization

Why This Matters in Real Organizations

Every custom application and third-party integration relies on app registrations. Misconfigured permissions can expose organizational data, while overly restrictive consent policies block legitimate business apps. Understanding this balance is critical for SC-300.

Common Mistakes to Avoid

Using Application permissions when Delegated would suffice

Not rotating client secrets before expiration

Granting broad permissions like Directory.ReadWrite.All unnecessarily

Allowing unrestricted user consent, enabling consent phishing attacks

Interview Tips

Explain delegated vs application permissions with examples
Discuss consent workflow and admin consent settings
Mention the principle of least privilege for API permissions

Exam Tips (SC-300)

Know the difference between delegated and application permissions
Understand admin consent vs user consent settings
Know how to configure consent policies

Course Complete!

You've finished all lessons

←Previous|→Next|HHome