Understanding Azure App Registration and Client Secrets in Real-Life Scenarios

UNDERSTANDING AZURE APP REGISTRATION AND CLIENT SECRETS IN REAL-LIFE SCENARIOS

CONTENT Introduction What is Azure App Registration? Understanding Client Secrets Real Business Scenario Best Practices for App Registration and Client Secrets Conclusion

INTRODUCTION

Modern businesses rely on cloud-based applications like Dynamics 365, Power Apps, and various third-party services. To ensure seamless integration, secure authentication, and automated data access, organizations need a structured approach. Azure App Registration, a component of Microsoft Entra ID (formerly Azure Active Directory), plays a crucial role in enabling applications to authenticate securely without manual user intervention.

This article provides a practical understanding of Azure App Registration and Client Secrets, explaining their significance, implementation, and real-world applications. You will learn:

• Why Azure App Registration is a must for modern business apps
• How Client Secrets facilitate secure authentication
• A real-life example demonstrating automation using there technologies
• Best practices to enhance security and operational efficiency

Let's get started.

WHAT IS AZURE APP REGISTRATION?

Azure App Registration provides a secure method for applications to authenticate and interact with Microsoft services such as Dynamics 365, Microsoft 365, and Azure resources. By registering an application in Microsoft Entra ID, you establish its identity and enable secure API access:

• Client ID: A unique identifier for the registered application, like a driver’s license number.
• Client Secret: A confidential key used for authentication (similar to a password for the application).
• Tenant ID: A unique identifier that associates the application with an organization’s Microsoft Entra ID directory.

Why Does Your Business Need It?

Businesses rely on secure, automated data exchange between applications to reduce manual work and improve efficiency. Without a structured authentication method, organizations often resort to insecure or inefficient workarounds, such as shared passwords or manual exports.

Azure App Registration ensures:

• Automated Access – Business applications can retrieve and update data without user intervention.
• Stronger Security – Eliminates the risks of storing user credentials in applications.
• Seamless Integration – Power Apps, Power BI, and third-party tools can connect securely to Microsoft services.
• Regulatory Compliance – Ensures controlled access to sensitive data, supporting SOX and GDPR requirements.

By implementing Azure App Registration, businesses can streamline operations while maintaining security and compliance.

UNDERSTANDING CLIENT SECRETS

A Client Secret is a confidential key used by an application to authenticate itself when requesting access to Microsoft services. Unlike a user's password, a Client Secret is used for application-only authentication, meaning the app, not a person, is granted access to resources.

How Authentication Works with Client Secrets?

When an application wants to connect to a Microsoft service (such as Dynamics 365 or Microsoft Graph API), it follows these steps:

1. The application sends a request to the Microsoft Entra ID token endpoint, including:

• Client ID (to identify the app)
• Client Secret (to prove its identity)
• Tenant ID (to specify the organization’s Azure directory)
• Scope (defining the level of access requested)

2. Microsoft Entra ID verifies the credentials and, if valid, issues an OAuth 2.0 access token.

3. The application uses this token to securely interact with Microsoft services (e.g., retrieving user-role data from D365FO).

4. The access token expires after a set period, requiring the app to request a new token using the same process.

Security Considerations

• Do not store Client Secrets in source code or environment variables.
• Use Azure Key Vault to store and manage Client Secrets securely.
• Implement token expiration policies and regularly rotate secrets.
• Consider Managed Identities as a more secure alternative for Azure-hosted applications, eliminating the need for Client Secrets altogether.

REAL BUSINESS SCENARIO

Let’s dive into a scenario of how companies use Azure App Registration and Client Secrets to tackle real-world problems.

Scenario: Automating D365FO User Access Reviews

Problem Statement: A financial services company using Dynamics 365 Finance & Operations (D365FO) needs to conduct periodic user access reviews for SOX compliance. The challenges include:

• User-role assignments must be reviewed periodically, but manually exporting the data is time-consuming.
• IT cannot grant auditors direct access to sensitive security data.
• Managers require an intuitive way to review and approve access assignments without using complex processes/reports.

Solution: Automating Access Reviews with Power Platform

• By leveraging Azure App Registration, Power Automate, and Power BI, the company automates user access reviews as follows.
• The company needs an automated process to extract user-role assignments, store them in Power Apps for review, and visualize them in Power BI for compliance reporting.

This solution automatically extracts user-role assignments from D365FO, stores them in Dataverse (Power Apps Table), and provides a Power BI dashboard for monitoring. 

Main solution steps are as follows:

• Register an App in Azure AD for Secure Access
• Extract User-Role Assignments from D365FO
• Store and Process Data in Power Apps
• Generate Power BI Dashboards for Compliance Teams

Step 1: Register an App in Azure AD for Secure Access

To access D365FO data via APIs, we need to register an application in Azure AD.

1. Go to Azure AD:

• Open Azure Portal.
• Navigate to Microsoft Entra ID.

• Click + Add > App registration.

2. Register the App:

• Name: D365FO User Access Review App
• Supported account types: Choose Single Tenant (if internal) or Multi-Tenant (if external users need access). The purpose of this selection is to let a internal or a third party application to communicate.  Select Single Tenant for internal use.
• Redirect URI (optional): Leave this field blank, as it is not required for this scenario. It is only needed in user login scenarios where a Power App relies on a human user signing in with their own Microsoft credentials (e.g., their D365FO or Microsoft 365 login) to access data. In contrast, this setup involves the app running independently with its own credentials (Client ID and Secret). Technically, such user-based authentication falls under a “delegated permissions” scenario, where the app acts on behalf of the user by using their identity to authenticate.
• Click Register.

3. Grant API Permissions for D365 Finance and Operations Access:

• Go to API Permissions > + Add a permission
• Select Dynamics ERP.
• Choose permission type:
• Application Permissions: Use this if your Power App runs without a user logging in (e.g., a Power Automate flow pulling data automatically). This is “app-only” access, using the Client ID and Secret. This fits best in our scenario.
• Delegated Permissions: Use this if a user signs into the Power App and it pulls data on their behalf (e.g., they click a button to refresh the list). This uses the user’s login.
• Go to API Permissions > + Add a permission
• Select the permission level.
• Click Add permissions.
• Grant admin consent: Azure AD requires an admin to approve these permissions before they’re active. This ensures only authorized apps get access to D365FO. 
• If you are admin, click Grant admin consent for <your tenant>.

4. Generate Authentication Credentials

• Go to Certificates & secrets > Client secrets.
• Click + New client secret.
• Set an expiration date.
• Click Add.
• Copy the Secret Value. It won't be visible later.

5. Store the Credentials Securely

• Save Client ID, Tenant ID, and Client Secret in a secure location (Azure Key Vault recommended).

Step 2: Extract User-Role Assignments from D365FO

Once the Azure AD app is registered, you can extract security role assignments from D365FO using data entities.

1. Identify the Data Entity:

• Use System administration >> Data management workspace in D365FO.
• Locate the entity "Security user role association"(SecurityUserRoleAssociations).

2. Export data manually for testing.

3. Automate data extraction

• Use the OAuth 2.0 token obtained from Microsoft Entra ID.
• Call the OData API endpoint to fetch security role data.

Automate data extraction with OData API: Power Apps (or any external service) needs to use OAuth 2.0 authentication to securely access the SecurityUserRoleAssociations data entity in D365 Finance & Operations (D365FO).

• You must construct an OAuth 2.0 access token using your Client ID, Client Secret, and Tenant ID before making API calls to D365FO.
• Extract data in JSON or CSV format for further processing.

4. Schedule Automated Extraction

• Schedule periodic data extraction using Power Automate or Azure Logic Apps.

Step 3: Store and Process Data in Power Apps

1. Use Dataverse to store extracted data securely.

2. Create a Power App that allows compliance teams to:

• Review user-role assignments (by sending D365FO security data to Power Apps) in an interactive interface.
• Approve or reject access changes based on predefined policies.

3. Automate Review Notifications: Use Power Automate to trigger notifications to compliance teams:

• Send alerts when new roles are assigned.
• Flag high-risk role assignments for immediate review.
• Generate audit logs for tracking access reviews.

Step 4: Generate Power BI Dashboards for Compliance Teams

1. Connect Power BI to Dataverse to visualize access review data dynamically.

2. Create Key Reports displaying:

• Users with excessive roles.
• Pending access approvals by managers.
• Trends in security role assignments over time.

3. Enable Automated Report Generation

• Set up scheduled reports for audit teams.
• Generate compliance reports with key risk indicators.

BEST PRACTICES FOR APP REGISTRATION AND CLIENT SECRETS

1. Use Azure Key Vault to store Client Secrets securely.

2. Enable Role-Based Access Control (RBAC) to restrict secret access.

3. Implement token expiration policies and rotate Client Secrets periodically.

4. Prefer Managed Identities for Azure-hosted applications to avoid using Client Secrets.

5. Use Conditional Access Policies to limit app access based on security conditions.

CONCLUSION

Azure App Registration and Client Secrets play a vital role in enabling secure, automated application authentication in Microsoft environments. By understanding how to configure them properly and following best practices, businesses can streamline operations, enhance security, and ensure compliance.

Through real-world scenarios like automating D365FO user access reviews, organizations can see the tangible benefits of leveraging these technologies efficiently. With proper implementation and security controls, Azure App Registration provides a robust solution for modern enterprise applications.