Creating a Custom Entra ID (Azure AD) Application

Note：Microsoft はAzure AD をEntra ID にリブランドしました。ユーザーがEntra ID 管理サイトを操作する必要があるトピックでは、Microsoft が使用している名称と同じものを使用します。ただし、名前または値が"Azure AD" を参照しているCData 接続プロパティは、依然として存在します。

CData embeds OAuth Application Credentials with CData branding that can be used when using Azure to connect via either a Desktop Application or a Headless Machine. However, in all cases, connecting to Azure via a Web application requires creating a custom OAuth application. You might also want to create a custom OAuth application to:

• Control the branding of the authentication dialog
• Set a specific redirect URI
• Request more granular or restricted permissions

Registering an Application in the Azure Portal

To obtain OAuth values for your app, the OAuthClientId and OAuthClientSecret, and register a custom OAuth application:

1. Log in to the Azure Portal.
2. In the left-hand navigation pane, navigate to Microsoft Entra ID > App registrations > New registration.
3. Enter an application name.
4. Under Supported account types, choose one of the following:
   • Accounts in this organizational directory only (Single tenant), or
   • Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) if you will connect across tenants
5. Under Redirect URI (optional), set:
   • Type: Web
   • Value: http://localhost:33333 (the default used by the 本製品) or your own secure redirect URI
6. Click Register.

The Portal creates the new application.

Creating a Client Secret

1. After registration, go to Certificates & secrets.
2. Click New client secret, enter a description and expiration period.
3. Click Add and copy the value. This is your OAuthClientSecret.

Assigning API Permissions

1. Navigate to API permissions > Add a permission.
2. Select:
   • Microsoft Graph > Delegated permissions > offline_access
   • SharePoint > Delegated permissions > ProjectWebApp.FullControl and AllSites.FullControl
3. If required, click Grant admin consent for your organization.

Note: You can override these permissions by setting a custom Scope in your connection string.

Granting Admin Consent for API Permissions

Some Microsoft Entra ID (Azure AD) permissions such as ProjectWebApp.FullControl require administrator consent before an application can use them. If your application includes these permissions, an administrator must explicitly approve them before users can authenticate successfully.

You can grant admin consent by:

1. Opening your application in App registrations in the Azure Portal.
2. Navigating to the API permissions section.
3. Clicking Grant admin consent and confirming the action.

Once consent is granted, your application can request tokens and access the requested resources on behalf of users or in the context of the app depending on whether you're using Delegated or Application permissions.

Note: The CData embedded application does not include permissions that require admin consent. This process is only necessary if you are registering a custom OAuth application and requesting admin-level scopes. If you're not an administrator, you must contact someone who has admin rights in your organization to complete this step.