Daemon app that calls web APIs - app registration

For a daemon application, here's what you need to know when you register the app.

Supported account types

Daemon applications make sense only in Azure AD tenants. So when you create the application, choose one of the following options:

  • Accounts in this organizational directory only. This choice is the most common one because daemon applications are usually written by line-of-business (LOB) developers.
  • Accounts in any organizational directory. You'll make this choice if you're an ISV providing a utility tool to your customers. You'll need your customers' tenant admins to approve it.

Authentication - no reply URI needed

In the case where your confidential client application uses only the client credentials flow, the reply URI doesn't need to be registered. It's not needed for the application configuration or construction. The client credentials flow doesn't use it.

A daemon application can request only application permissions to APIs (not delegated permissions). On the API permissions page for the application registration, after you've selected Add a permission and chosen the API family, choose Application permissions, and then select your permissions.

App permissions and admin consent

Note

The web API that you want to call needs to define application permissions (app roles), not delegated permissions. For details on how to expose such an API, see Protected web API: App registration - when your web API is called by a daemon app.

Daemon applications require that a tenant admin pre-consent to the application calling the web API. Tenant admins provide this consent on the same API permission page by selecting Grant admin consent to our organization

If you're an ISV building a multitenant application, you should read the section Deployment - case of multitenant daemon apps.

Add a client secret or certificate

As with any confidential client application, you need to add a secret or certificate to act as that application's credentials so it can authenticate as itself, without user interaction.

You can add credentials to your client app's registration by using the Azure portal or by using a command-line tool like PowerShell.

Add client credentials by using the Azure portal

To add credentials to your confidential client application's app registration, follow the steps in Quickstart: Register an application with the Microsoft identity platform for the type of credential you want to add:

Add client credentials by using PowerShell

Alternatively, you can add credentials when you register your application with the Microsoft identity platform by using PowerShell.

The active-directory-dotnetcore-daemon-v2 code sample on GitHub shows how to add an application secret or certificate when registering an application:

Next steps

Move on to the next article in this scenario, App code configuration.