Last modified by Sabrina V. on 2025/06/05 11:26
Show last authors
1 {{aagon.floatingbox/}}
2
3 Enterprise applications are often used as an interface between Microsoft Entra and internally used applications, for example to give employees access to Microsoft 365. To do this, you need to register one or more applications centrally. This chapter provides an introduction to how you can register enterprise applications and assign permissions to them. It applies to the following areas of application:
4
5 * [[Intune Management>>doc:ACMP.68.ACMP-Solutions.Intune Management.WebHome]]
6 * [[Microsoft 365>>doc:ACMP.68.ACMP-Solutions.Lizenzmanagement.Microsoft 365.WebHome]]
7 * [[Setting up OAuth2 on the ACMP Server>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.OAuth2 am ACMP Server einrichten.WebHome]]
8 * [[ACMP Intune Connector>>doc:ACMP.68.ACMP-Solutions.Client-Management.ACMP Intune Connector.WebHome]]
9
10 = Preparing for the Microsoft Entra ID =
11
12 In order to work in one of the above application areas, you must first open the Microsoft Entra Admin Centre and register a company application. You will then need to grant the necessary permissions within that application. These steps are necessary to enable ACMP to access and import the required data.
13
14 == Register an Enterprise Application ==
15
16 First, log in to your [[Microsoft Entra ID>>url:https://aad.portal.azure.com/]]. Click the Identity > Manage tab > //Enterprise Applications// and create a new application registration.
17
18 [[App registrations in Microsoft Entra ID>>image:68_Unternehmensanwendung registrieren_App Registrierung Oberfläche_1919.png]]
19
20 Enter all the necessary information there: Assign an app name and select the accounts to be supported. Complete the process by clicking //Register//.
21
22 [[Register an application>>image:68_Unternehmensanwendung registrieren_App Registrierung neue anlegen_1919.png]]
23
24 When you open the application you have created, you will see a summary of the information you have added. This includes the display name, details of the supported account types and the various IDs (application, object and directory ID). You will need the latter details (the IDs) if, for example, you want to create a new portal for Microsoft 365.
25
26 [[Summary of application information>>image:68_Unternehmensanwendung registrieren_Zusammenfassung der Anwendungsinformationen_1919.png]]
27
28 == Distribute permissions ==
29
30 Next, grant the company application the necessary permissions so that it can access the interface. To do this, switch to the Permissions area within the registered app (//Manage// > //API permissions//).
31
32 [[Add permissions>>image:68_Unternehmensanwendung registrieren_Berechtigungen hinzufügen_1919.png]]
33
34 Add permissions Click on //Add permission. //A page will open where you can request API permissions. In this step, you must select //Microsoft Graph//.
35
36 [[API permissions: Request Microsoft Graph>>image:68_Unternehmensanwendung registrieren_API-Berechtigungen Microsoft Graph anfordern_850.png||data-xwiki-image-style-alignment="center" height="722" width="701"]]
37
38 Depending on the area for which you want to grant authorisations, a distinction is made between ‘Delegated authorisations’ and ‘Application authorisations’. The tables below show the authorisations that you must insert here for the respective area.
39
40 === Microsoft 365 ===
41
42 **Only the application permissions are required to use Microsoft 365. Insert the following values individually and repeat the procedure until both list entries have been added:**
43
44 |**Type: Application**
45 |User.Read.All
46 |Organization.Read.All
47
48 {{aagon.warnungsbox}}
49 Only the application authorisations need to be assigned, not the delegated authorisations!
50 {{/aagon.warnungsbox}}
51
52 === Setting up OAuth 2 on the ACMP Server ===
53
54 |**Type: Delegated**
55 |IMAP.AccessAsUser.All
56 |POP.AccessAsUser.All
57 |SMTP.Send
58 |offline_access
59
60 === ACMP Intune Connector ===
61
62 |**Type: Delegated**|**Type: Applicatione**
63 |DeviceManagementManagedDevices.Read.All|DeviceManagementApps.Read.All
64 |DeviceManagementManagedDevices.ReadWrite.All|DeviceManagementConfiguration.Read.All
65 |User.Read|DeviceManagementManagedDevices.PrivilegedOperations.All
66 | |DeviceManagementManagedDevices.Read.All
67 | |DeviceManagementManagedDevices.ReadWrite.All
68 | |DeviceManagementServiceConfig.Read.All
69
70 Once you have selected all permissions, click //Add permissions//. You can then see the items in the overview (the following example describes the application permissions added for Microsoft 365).
71
72 [[Grant application permissions (without consent)>>image:68_Unternehmensanwendung registrieren_Anwendungsberechtigungen erteilen_1914.png]]
73
74 You may need to grant your consent to the permissions if you have not already done so. To do this, click on the field //Grant administrator consent for ‘%Your company%’//. This changes the status and the user consent is deployed.
75
76 [[Approved application authorisations>>image:68_Unternehmensanwendung registrieren_Status gewährt_1919.png]]
77
78 = Specify authentication types: **Secret client key or upload certificates** =
79
80 Regardless of the application, you must specify authentication types for all areas. You can choose between two methods supported by the Microsoft Client Credentials Provider: //Certificate// or //Secret Client Key//.
81
82 {{aagon.infobox}}
83 The procedure varies depending on the authentication type selected. Read below to find out what you need to bear in mind for each method.
84 {{/aagon.infobox}}
85
86 == Upload certificate ==
87
88 {{aagon.infobox}}
89 Due to the higher security level, Microsoft recommends using a certificate as login information.
90 {{/aagon.infobox}}
91
92 Certificates can be used as an authentication method to log in to Microsoft Entra ID. A certificate always consists of a public and a private part, with the public key being loaded directly into Microsoft Entra ID. Both parts are required at a later stage when you add the certificate to the connection information for creating a new portal. This certificate pair must be generated in advance. Read here how to create a certificate via [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or Open SSL. Due to the higher security level, Microsoft recommends using a certificate as login information
93
94 {{aagon.infobox}}
95 The PKCS#12 or PFX/P12 format is often used for certificates. This is not supported by ACMP, as the certificate and key files are combined in a single file. However, you can use the OpenSSL commands openssl pkcs12 -in path.p12 -out newfile.crt -clcerts –nokeys for the certificate and openssl pkcs12 -in path.p12 -out newfile.pem -nocerts –nodes for the private key to generate two files from the file.
96 You can find continuing info on this topic in the section [[Managing certificates>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome||anchor="HEnde-zu-Ende-VerschlFCsselung"]].
97 {{/aagon.infobox}}
98
99 Navigate to the //Certificates & Secrets// item within the previously registered application. Click on the //Certificates //tab in the details and upload the certificate you created earlier.
100
101 [[Upload a certificate>>image:68_Unternehmensanwendung registrieren_Zertifikat_1915.png]]
102
103 A field will open on the right-hand side where you can upload the certificate. Browse to the appropriate folder, upload the file and enter an optional description for the certificate. Then click //Add// and the certificate will be stored for the application.
104
105 {{aagon.infobox}}
106 Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.
107 {{/aagon.infobox}}
108
109
110 [[Certificate uploaded to Microsoft Entra>>image:68_Unternehmensanwendung registrieren_Hochgeladenes Zertifikat in Microsoft Entra_1919.png]]
111
112 == Add secret client key ==
113
114 The secret client key is a character string that is used in the company application as an authentication key or proof of identity when requesting the token. To do this, switch to the //Certificates & Secrets// area within the registered application. Click on the //Secret Client Keys //tab in the details and create a new key.
115
116 [[Secret client key>>image:68_Unternehmensanwendung registrieren_Geheimen Clientschlüssel_1919.png]]
117
118 When creating a new secret client key, you have the option of configuring its validity period. Please note that once the validity period has expired, a new key must be created and stored.
119
120 [[Add secret client key>>image:68_Unternehmensanwendung registrieren_Geheimen Clientschlüssel hinzufügen_1919.png||alt="68_Unternehmensanwendung registrieren_Geheimen Clientschlüssel_1919.png"]]
121
122 {{aagon.infobox}}
123 If you want to use the secret client key for the ACMP Intune Connector, you must create a new key after the validity period has expired and store it in the AESB.
124 {{/aagon.infobox}}
125
126 {{aagon.infobox}}
127 You will need the secret client key you created at a later point (e.g. when setting up AESB or in Microsoft 365 to create new portals in the ACMP Console). Therefore, save the secret client key so that you can access it later.
128 {{/aagon.infobox}}
129
130 = Next steps =
131
132 Now that you have registered the company application and granted the necessary permissions, you can switch to the respective application area and continue with your work:
133
134 * [[Intune Management>>doc:ACMP.68.ACMP-Solutions.Intune Management.WebHome]]
135 * [[Microsoft 365>>doc:ACMP.68.ACMP-Solutions.Lizenzmanagement.Microsoft 365.WebHome]]
136 * [[Setting up OAuth2 on the ACMP Server>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.OAuth2 am ACMP Server einrichten.WebHome]]
137 * [[ACMP Intune Connector>>doc:ACMP.68.ACMP-Solutions.Client-Management.ACMP Intune Connector.WebHome]]
138
© Aagon GmbH 2025
Besuchen Sie unsere neue Aagon-Community