It's like searching and searching, and then finally landing on something that explains everything in a simple way that everyone can understand. Thanks a ton
i was struggling to understand app registration and concepts and found this tremendously helpful. Amazing LinkedIn AZ500 class too. Thank you Pete keep up the great work!
Great content- would like more on just the selection of "Web - redirect url" in Register an Application. Could you continue with the series and also add some diagrams relating to the various choices and scenarios? Like SasS, where would you obtain the guid and use it in an application to have permissions to the user's resources, which the identity management allows permission to access. Thank you.
awesome video!!! thanks for that. Quick question - is service principal similar to the service account in other cloud services? i believe service account is the account with which our production jobs run instead of running with our own accounts.
It would be more accurate to say service principals avoid use of service accounts as they exist in on-premises Active Directory. You'll find a good read on service principals and managed identities at devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/
Excellent video. If I have several users that want to programatically interact with files stored in (different) sharepoint sites via Graph API (with Python). Do I create multiple Apps and use application permissions and limit the scope to Sites.Selected for each? Or do I create one App Registration for all users/sites and use delegated permissions? One App w/delegated permissions is more manageable from an admin perspective, but on the user end, they have to get and enter an access token which means there's some interaction and more steps involved.
Per-site access is possible. Look at good blog posts here devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/ and here mmsharepoint.wordpress.com/2021/08/18/accessing-sharepoint-sites-with-resource-specific-consent-rsc-and-microsoft-graph/
Hi, I'm an intern and I was asked to integrate one of the company apps that is on Oracle APEX new version with active directory, how can I register an app from oracle apex in azure AD? Please help!
Hmm, your comment just popped up here. For non-Microsoft apps, the vendor (Oracle, in this case) will generally provide instructions for app registration in Azure AD in their documentation.
Amazing explanation! Is not clear for me what the difference between the service principal and managed service identity? It seems like they solve the same problems, allow a user or an app securely access other resources in azure, but what the difference? what is the key difference that make me choose one or another? please explain
Sorry for delayed reply, your comment was incorrectly flagged by RUclips as spam. managed identity came along after service principal, and are the preferred approach. Use system identities on services that support them, as it is auto-created and auto-removed along with the service it is tied to. User-assigned managed identities are created independent of a resource, but you have to delete them manually (less convenient). You could say the difference between a managed identity and a service principal is that a managed identity "manages" the creation and automatic renewal of a service principal on your behalf.
Thanks for the video, I am looking bring the Azure AD to my app (react+ springBoot) , but not sure what will be best suited for me (Azure Ad B2C, Azure ad B2B etc), as my app has the functionality to register new user (name, email address(any domain email address) and password) and login. advise or pointer on this please?
It depends. Are you expecting users to authenticate with a work identity (Azure AD or federated) or social identity (Facebook, Google, etc). If the first, look at Azure AD B2B. If the latter, Azure AD B2C.
@@InsideCloudAndSecurity Thanks for the answer, I am still a bit not sure? as for my scenario, I like the user to Signup with any email id (abc@xyz.com), and that email I am looking to save in the backend(Spring + mysql DB) as well and then map that email as Primary key for that customer in the DB
Thank you for your video. Assume that we have an application (BE and FE) which is deployed via azure DevOps. What will happens if the app registration secret expires? Do we have to do something or we just renew the secret of app registration? After we renew the secret do we have to update something else? Thank you in advance
Best explanation I found so far, I'm looking into converting a LOB app hosted in Azure to use SSO with AAD. Ideally, we'd allow external users to continue using the authentication in place for the website (has it's own database and send code for MFA), but if it detects that an internal employee is logging in, we want it to detect that using the domain and then trigger the SSO process using AAD. Hopefully my explanation is clear enough, but do you know if that's possible? Any other resources you could point me to for this?
Sounds a bit more complicated as you have a custom authentication strategy. Some high-level guidance from Microsoft starts here - docs.microsoft.com/en-us/azure/active-directory/fundamentals/five-steps-to-full-application-integration-with-azure-ad
Sorry, your comment got automatically pushed into a moderation bucket. This is a feature of Azure AD, so you don't need an Azure sub or Office 365 to use this feature.
It's like searching and searching, and then finally landing on something that explains everything in a simple way that everyone can understand. Thanks a ton
Finally, someone who can explain this clearly so it makes sense to me. Many thanks for posting
Glad it helped. 👍
i was struggling to understand app registration and concepts and found this tremendously helpful. Amazing LinkedIn AZ500 class too. Thank you Pete keep up the great work!
Thank you! Glad this was helpful. 👍
Great Azure content in easy to understand terms, keep it coming!
Great content- would like more on just the selection of "Web - redirect url" in Register an Application. Could you continue with the series and also add some diagrams relating to the various choices and scenarios? Like SasS, where would you obtain the guid and use it in an application to have permissions to the user's resources, which the identity management allows permission to access. Thank you.
Yes. Planning to produce an updated version in the next few weeks to address recent changes. Can add some guidance in areas you are suggesting.
Thanks Pete for clarifying this topic in simple words. Really helpful for me.
You're very welcome! ☺
awesome. crystal clear to me. thanks!
Excellent. Glad to hear that. Good luck! 🤞👍
Amazing | Simple and more practical.
Glad you liked 👍
awesome video!!! thanks for that.
Quick question - is service principal similar to the service account in other cloud services? i believe service account is the account with which our production jobs run instead of running with our own accounts.
It would be more accurate to say service principals avoid use of service accounts as they exist in on-premises Active Directory. You'll find a good read on service principals and managed identities at devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/
Excellent video. If I have several users that want to programatically interact with files stored in (different) sharepoint sites via Graph API (with Python). Do I create multiple Apps and use application permissions and limit the scope to Sites.Selected for each? Or do I create one App Registration for all users/sites and use delegated permissions? One App w/delegated permissions is more manageable from an admin perspective, but on the user end, they have to get and enter an access token which means there's some interaction and more steps involved.
Per-site access is possible. Look at good blog posts here devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/ and here mmsharepoint.wordpress.com/2021/08/18/accessing-sharepoint-sites-with-resource-specific-consent-rsc-and-microsoft-graph/
Hi, I'm an intern and I was asked to integrate one of the company apps that is on Oracle APEX new version with active directory, how can I register an app from oracle apex in azure AD? Please help!
Hmm, your comment just popped up here. For non-Microsoft apps, the vendor (Oracle, in this case) will generally provide instructions for app registration in Azure AD in their documentation.
Awesome work Peter!
Amazing explanation! Is not clear for me what the difference between the service principal and managed service identity? It seems like they solve the same problems, allow a user or an app securely access other resources in azure, but what the difference? what is the key difference that make me choose one or another? please explain
Sorry for delayed reply, your comment was incorrectly flagged by RUclips as spam. managed identity came along after service principal, and are the preferred approach. Use system identities on services that support them, as it is auto-created and auto-removed along with the service it is tied to. User-assigned managed identities are created independent of a resource, but you have to delete them manually (less convenient). You could say the difference between a managed identity and a service principal is that a managed identity "manages" the creation and automatic renewal of a service principal on your behalf.
Thanks for the video, I am looking bring the Azure AD to my app (react+ springBoot) , but not sure what will be best suited for me (Azure Ad B2C, Azure ad B2B etc), as my app has the functionality to register new user (name, email address(any domain email address) and password) and login. advise or pointer on this please?
It depends. Are you expecting users to authenticate with a work identity (Azure AD or federated) or social identity (Facebook, Google, etc). If the first, look at Azure AD B2B. If the latter, Azure AD B2C.
@@InsideCloudAndSecurity Thanks for the answer, I am still a bit not sure? as for my scenario, I like the user to Signup with any email id (abc@xyz.com), and that email I am looking to save in the backend(Spring + mysql DB) as well and then map that email as Primary key for that customer in the DB
Great presentation!
Thank you kindly!
Thank you for your video. Assume that we have an application (BE and FE) which is deployed via azure DevOps. What will happens if the app registration secret expires? Do we have to do something or we just renew the secret of app registration? After we renew the secret do we have to update something else? Thank you in advance
Liked consent explanation. Thanks
Thanks. Hope it helps! 👍
Best explanation I found so far, I'm looking into converting a LOB app hosted in Azure to use SSO with AAD. Ideally, we'd allow external users to continue using the authentication in place for the website (has it's own database and send code for MFA), but if it detects that an internal employee is logging in, we want it to detect that using the domain and then trigger the SSO process using AAD.
Hopefully my explanation is clear enough, but do you know if that's possible? Any other resources you could point me to for this?
Sounds a bit more complicated as you have a custom authentication strategy. Some high-level guidance from Microsoft starts here - docs.microsoft.com/en-us/azure/active-directory/fundamentals/five-steps-to-full-application-integration-with-azure-ad
amazing explanation.. loved it, thank you.
Glad you liked it!
Thank you for your video. IT was very helpful and informative
You are welcome!
Very well explained. Thank you
Thanks! 👍
which subscription we need, office 365 subscription or Azure Subscription for App Registeration?
Sorry, your comment got automatically pushed into a moderation bucket. This is a feature of Azure AD, so you don't need an Azure sub or Office 365 to use this feature.
thanks. this was short and helpfull
Glad it helped!
I feel so stupid for not knowing that an enterprise app object is created when configuring an app reg. Doh!
Don't. App registration is tough for EVERYONE! 😉
Thanks for explaining.
tyvm! earned yourself a sub
Glad it helped. 👍
Thank you!
You bet!