Programmatic Azure AD Application Discovery

Christopher Oyesiku 1 Reputation point
2021-04-12T23:49:18.843+00:00

I have a service that will be registered in Azure AD as an App. It will have one app registration per region (West US, East US, etc.). Clients calling this service need to acquire an access token. The audience of the access token MUST be the corresponding service for the region. The services are segregated regionally so that an access token for a service in one region cannot be used to access the service in another region. This is by design.

Is there a proper way/recommended best practice for the application discovery?

I have explored the idea of using Graph API. In the model:

  1. Each of the registered services will be created using a templatized naming convention e.g. <region name>-<service name>. There is a concern here that without proper coordination within the tenant where these apps are being registered, we could end up with a name collision.
  2. A “discovery app” (application registered for the sole purpose of usage for discovery) will have Application.Read permission the Graph API. Authentication here will be based on a X509 certificate for greater security.
  3. Using an access token acquired against the discovery app, Client will query Graph API for the intended service app audience matching on the name. Once that app info is obtained, we’ll have the service app id. Again, concern from #1 above still stands - another application registered with same name will also be found.
  4. Client will then use service app id obtained to acquire an access token to talk to the service.

Any help/direction would be much appreciated. Want to make sure I am not re-inventing the wheel if there is already an appropriate pattern to doing this.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-05-12T23:13:19.31+00:00

    There is no recommended way exactly, but the way you described is definitely doable.

    It looks like you asked this on Stack Overflow as well, and I agree with the suggestion there of adding the app registrations into a security group, using a filter, and leveraging Microsoft Graph to list the applications with the filter.

    If you are following a particular guide, you can also create a documentation request to add more details around best practices for this, though there isn't really a determined method right now.

    0 comments