Last modified by Sabrina V. on 2025/07/21 09:44
Show last authors
1 {{aagon.floatingbox/}}
2
3 Enterprise applications are often used as an interface between Microsoft Entra and internally used applications, for example to give employees access to Microsoft 365. To do this, you need to register one or more applications centrally. This chapter provides an introduction to how you can register enterprise applications and assign permissions to them. It applies to the following areas of application:
4
5 * [[Intune Management>>doc:ACMP.68.ACMP-Solutions.Intune Management.WebHome]]
6 * [[Microsoft 365>>doc:ACMP.68.ACMP-Solutions.Lizenzmanagement.Microsoft 365.WebHome]]
7 * [[Setting up OAuth2 on the ACMP Server>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.OAuth2 am ACMP Server einrichten.WebHome]]
8 * [[ACMP Intune Connector>>doc:ACMP.68.ACMP-Solutions.Client-Management.ACMP Intune Connector.WebHome]]
9
10 = Preparing for the Microsoft Entra ID =
11
12 In order to work in one of the above application areas, you must first open the Microsoft Entra Admin Centre and register a company application. You will then need to grant the necessary permissions within that application. These steps are necessary to enable ACMP to access and import the required data.
13
14 == Register an Enterprise Application ==
15
16 First, log in to your [[Microsoft Entra ID>>url:https://aad.portal.azure.com/]]. Click the Identity > Manage tab > //Enterprise Applications// and create a new application registration.
17
18 [[App registrations in Microsoft Entra ID>>image:68_Unternehmensanwendung registrieren_App Registrierung Oberfläche_1919.png]]
19
20 Enter all the necessary information there: Assign an app name and select the accounts to be supported.
21
22 {{box}}
23 **Note for [[setting up OAuth2 on the ACMP Server>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.OAuth2 am ACMP Server einrichten.WebHome]]:**
24 If only one account from the organisation directory is allowed to access it, you must select the first option. Under the redirect URI, you must enter the following: https://login.microsoftonline.com/common/oauth2/nativeclient
25 Register the application as //Public client/native (mobile & desktop)//.
26 {{/box}}
27
28 Complete the process by clicking //Register//.
29
30 [[Register an application>>image:68_Unternehmensanwendung registrieren_App Registrierung neue anlegen_1919.png]]
31
32 When you open the application you have created, you will see a summary of the information you have added. This includes the display name, details of the supported account types and the various IDs (application, object and directory ID). You will need the latter details (the IDs) if, for example, you want to create a new portal for Microsoft 365.
33
34 [[Summary of application information>>image:68_Unternehmensanwendung registrieren_Zusammenfassung der Anwendungsinformationen_1919.png]]
35
36 == Distribute permissions ==
37
38 Next, grant the company application the necessary permissions so that it can access the interface. To do this, switch to the Permissions area within the registered app (//Manage// > //API permissions//).
39
40 [[Add permission>>image:68_Unternehmensanwendung registrieren_Berechtigungen hinzufügen_1919.png]]
41
42 Add permissions Click on //Add permission. //A page will open where you can request API permissions. In this step, you must select //Microsoft Graph/Intune//.
43
44 [[API permissions: Request Microsoft Graph>>image:68_Unternehmensanwendung registrieren_API-Berechtigungen Microsoft Graph anfordern_850.png||data-xwiki-image-style-alignment="center" height="722" width="701"]]
45
46 Depending on the area for which you want to grant authorisations, a distinction is made between ‘Delegated authorisations’ and ‘Application authorisations’. The tables below show the authorisations that you must insert here for the respective area.
47
48 === Intune Management ===
49
50 The following permissions are required to use Intune Management:
51
52 **Intune**
53
54 |**Type: Application**
55 |get_data_warehouse
56 |get_device_compliance
57
58 (% class="wikigeneratedid" %)
59 **Microsoft Graph**
60
61 |**Typ: Application**
62 |DeviceManagementApps.ReadWrite.All
63 |DeviceManagementConfiguration.Read.All
64 |DeviceManagementManagedDevices.PrivilegedOperations.All
65 |DeviceManagementManagedDevices.ReadWrite.All
66 |DeviceManagementServiceConfig.Read.All
67 |Group.ReadWrite.All
68 |GroupMember.ReadWrite.All
69 |User.ReadWrite.All
70 |Directory.ReadWrite.All
71
72 === Microsoft 365 ===
73
74 **Only the application permissions are required to use Microsoft 365. Insert the following values individually and repeat the procedure until both list entries have been added:**
75
76 |**Type: Application**
77 |User.Read.All
78 |Organization.Read.All
79
80 {{aagon.warnungsbox}}
81 Only the application authorisations need to be assigned, not the delegated authorisations!
82 {{/aagon.warnungsbox}}
83
84 === Setting up OAuth 2 on the ACMP Server ===
85
86 |**Type: Delegated**
87 |IMAP.AccessAsUser.All
88 |POP.AccessAsUser.All
89 |SMTP.Send
90 |offline_access
91
92 === ACMP Intune Connector ===
93
94 |**Type: Delegated**|**Type: Applicatione**
95 |DeviceManagementManagedDevices.Read.All|DeviceManagementApps.Read.All
96 |DeviceManagementManagedDevices.ReadWrite.All|DeviceManagementConfiguration.Read.All
97 |User.Read|DeviceManagementManagedDevices.PrivilegedOperations.All
98 | |DeviceManagementManagedDevices.Read.All
99 | |DeviceManagementManagedDevices.ReadWrite.All
100 | |DeviceManagementServiceConfig.Read.All
101
102 Once you have selected all permissions, click //Add permissions//. You can then see the items in the overview (the following example describes the application permissions added for Microsoft 365).
103
104 [[Grant application permissions (without consent)>>image:68_Unternehmensanwendung registrieren_Anwendungsberechtigungen erteilen_1914.png]]
105
106 You may need to grant your consent to the permissions if you have not already done so. To do this, click on the field //Grant administrator consent for ‘%Your company%’//. This changes the status and the user consent is deployed.
107
108 [[Approved application authorisations>>image:68_Unternehmensanwendung registrieren_Status gewährt_1919.png]]
109
110 = Specify authentication types: **Secret client key or upload certificates** =
111
112 Regardless of the application, you must specify authentication types for all areas. You can choose between two methods supported by the Microsoft Client Credentials Provider: //Certificate// or //Secret Client Key//.
113
114 {{aagon.infobox}}
115 The procedure varies depending on the authentication type selected. Read below to find out what you need to bear in mind for each method.
116 {{/aagon.infobox}}
117
118 == Upload certificate ==
119
120 {{aagon.infobox}}
121 Due to the higher security level, Microsoft recommends using a certificate as login information.
122 {{/aagon.infobox}}
123
124 Certificates can be used as an authentication method to log in to Microsoft Entra ID. A certificate always consists of a public and a private part, with the public key being loaded directly into Microsoft Entra ID. Both parts are required at a later stage when you add the certificate to the connection information for creating a new portal. This certificate pair must be generated in advance. Read here how to create a certificate via [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or Open SSL. Due to the higher security level, Microsoft recommends using a certificate as login information
125
126 {{aagon.infobox}}
127 The PKCS#12 or PFX/P12 format is often used for certificates. This is not supported by ACMP, as the certificate and key files are combined in a single file. However, you can use the OpenSSL commands openssl pkcs12 -in path.p12 -out newfile.crt -clcerts –nokeys for the certificate and openssl pkcs12 -in path.p12 -out newfile.pem -nocerts –nodes for the private key to generate two files from the file.
128 You can find continuing info on this topic in the section [[Managing certificates>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.WebHome||anchor="HEnde-zu-Ende-VerschlFCsselung"]].
129 {{/aagon.infobox}}
130
131 Navigate to the //Certificates & Secrets// item within the previously registered application. Click on the //Certificates //tab in the details and upload the certificate you created earlier.
132
133 [[Upload a certificate>>image:68_Unternehmensanwendung registrieren_Zertifikat_1915.png]]
134
135 A field will open on the right-hand side where you can upload the certificate. Browse to the appropriate folder, upload the file and enter an optional description for the certificate. Then click //Add// and the certificate will be stored for the application.
136
137 {{aagon.infobox}}
138 Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.
139 {{/aagon.infobox}}
140
141
142 [[Certificate uploaded to Microsoft Entra>>image:68_Unternehmensanwendung registrieren_Hochgeladenes Zertifikat in Microsoft Entra_1919.png]]
143
144 == Add secret client key ==
145
146 The secret client key is a character string that is used in the company application as an authentication key or proof of identity when requesting the token. To do this, switch to the //Certificates & Secrets// area within the registered application. Click on the //Secret Client Keys //tab in the details and create a new key.
147
148 [[Secret client key>>image:68_Unternehmensanwendung registrieren_Geheimen Clientschlüssel_1919.png]]
149
150 When creating a new secret client key, you have the option of configuring its validity period. Please note that once the validity period has expired, a new key must be created and stored.
151
152 [[Add secret client key>>image:68_Unternehmensanwendung registrieren_Geheimen Clientschlüssel hinzufügen_1919.png||alt="68_Unternehmensanwendung registrieren_Geheimen Clientschlüssel_1919.png"]]
153
154 {{aagon.infobox}}
155 If you want to use the secret client key for the ACMP Intune Connector, you must create a new key after the validity period has expired and store it in the AESB.
156 {{/aagon.infobox}}
157
158 {{aagon.infobox}}
159 You will need the secret client key you created at a later point (e.g. when setting up AESB or in Microsoft 365 to create new portals in the ACMP Console). Therefore, save the secret client key so that you can access it later.
160 {{/aagon.infobox}}
161
162 = Next steps =
163
164 Now that you have registered the company application and granted the necessary permissions, you can switch to the respective application area and continue with your work:
165
166 * [[Intune Management>>doc:ACMP.68.ACMP-Solutions.Intune Management.WebHome]]
167 * [[Microsoft 365>>doc:ACMP.68.ACMP-Solutions.Lizenzmanagement.Microsoft 365.WebHome]]
168 * [[Setting up OAuth2 on the ACMP Server>>doc:ACMP.68.ACMP-Solutions.System.Einstellungen.ACMP Server.OAuth2 am ACMP Server einrichten.WebHome]]
169 * [[ACMP Intune Connector>>doc:ACMP.68.ACMP-Solutions.Client-Management.ACMP Intune Connector.WebHome]]
170
© Aagon GmbH 2025
Besuchen Sie unsere Aagon-Community