Creating a Custom Entra ID (Azure AD) Application

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

CData embeds OAuth Application Credentials with CData branding that can be used when using Azure to connect via either a Desktop Application or a Headless Machine. However, in all cases, connecting to Azure via a Web application requires creating a custom OAuth application. You might also want to create a custom OAuth application to:

• Control the branding of the authentication dialog
• Set a specific redirect URI
• Request more granular or restricted permissions

Registering an Application in the Azure Portal

To obtain OAuth values for your app, the OAuthClientId and OAuthClientSecret, and register a custom OAuth application:

1. Log in to the Azure Portal.
2. In the left-hand navigation pane, navigate to Microsoft Entra ID > App registrations > New registration.
3. Enter an application name.
4. Under Supported account types, choose one of the following:
   • Accounts in this organizational directory only (Single tenant), or
   • Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) if you will connect across tenants
5. Under Redirect URI (optional), set:
   • Type: Web
   • Value: http://localhost:33333 (the default used by the cmdlet) or your own secure redirect URI
6. Click Register.

The Portal creates the new application.

Creating a Client Secret

1. After registration, go to Certificates & secrets.
2. Click New client secret, enter a description and expiration period.
3. Click Add and copy the value. This is your OAuthClientSecret.

Assigning API Permissions

1. Navigate to API permissions > Add a permission.
2. Select:
   • Microsoft Graph > Delegated permissions > offline_access
   • SharePoint > Delegated permissions > ProjectWebApp.FullControl and AllSites.FullControl
3. If required, click Grant admin consent for your organization.

Note: You can override these permissions by setting a custom Scope in your connection string.

Granting Admin Consent for API Permissions

Some Microsoft Entra ID (Azure AD) permissions such as ProjectWebApp.FullControl require administrator consent before an application can use them. If your application includes these permissions, an administrator must explicitly approve them before users can authenticate successfully.

You can grant admin consent by:

1. Opening your application in App registrations in the Azure Portal.
2. Navigating to the API permissions section.
3. Clicking Grant admin consent and confirming the action.

Once consent is granted, your application can request tokens and access the requested resources on behalf of users or in the context of the app depending on whether you're using Delegated or Application permissions.

Note: The CData embedded application does not include permissions that require admin consent. This process is only necessary if you are registering a custom OAuth application and requesting admin-level scopes. If you're not an administrator, you must contact someone who has admin rights in your organization to complete this step.