Skip to main content

ITSP How To

How to Add an Azure AD App Registration

In order to have an application (Service Principal) registered in Azure AD you need to do the following:

  1. Make your-self familiar with Azure AD App Registration Requirements highlighted below

  2. Fill in the following template: Azure AD Application Registration Template

    • Specify the Custom App Role(s) to be created with description.

  3. Submit an Operational Change Request for ICS Infrastructure and attach above template

    danger

    In case you have a general OCM Technical Change or a Project, make a reference to it in the Operational Change Request As a result of an Application (Service Principal) Registration you will receive an Excel File with necessary data about registered application. Additionally, you may require information about Endpoints, which you can find below in corresponding section.

    note

    If you need a registration in the JTILAB Domain, follow the same process, just highlight in a CR Description that it should be a JTILAB registration.

    danger

    By requesting Azure AD Application Registration you automatically become an Owner of that App Registration. You will be in charge of approval for any changes in it. You will also be fully responsible for Application Secret keys secure storage and non-disclosure. We strongly recommend to store them in an EPV safe. You also must ensure that Secret Keys are not being used anywhere in a clear text. Any application which uses Secret Keys should have strong methods for keys encryption.

    By placing Azure AD Application Registration request you mutually confirm above statements.

    KB Article: How to request Azure AD App Registration

How to Assign App Permission(s) for your Application

  1. Submit an Operational Change Request for ICS Infrastructure and specify the following information:

    • App Display Name
    • App ID
    • App permission to be added as well as the App Id/App registration name where the role came from.
    note
    • If you don't have this information, then specify CR# for initial Azure AD App Registration Detailed description of changes that need to be done (for example: Add the "User.Read.All" permission type of "Delegated") Detailed description why those changes are required and how they will be used
    • depending from type of changes, such CR may be sent to IT Security for review and approval. If above information is missing or it's not complete enough, they will not be able to approve it.
    danger

    Each Azure AD App Registration has an owner assigned. By default it's a person who requested such registration (unless they nominate someone else explicitly). So, any changes to existing Azure AD App Registrations should be confirmed with related owner. ICS team has an inventory of all Azure AD Apps with owners assigned. In each CR for Azure AD App Registration Changes we ensure if it comes from an owner. If not, then we will ask requester to collect Email Approval from corresponding owner and attach it to the Change Request.

    KB Article: How to request changes in an existing Azure AD App Registration