Daemon app that calls web APIs - app registration
For a daemon application, here's what you need to know when you register the app.
Supported account types
Daemon applications make sense only in Azure AD tenants. So when you create the application, choose one of the following options:
- Accounts in this organizational directory only. This choice is the most common one because daemon applications are usually written by line-of-business (LOB) developers.
- Accounts in any organizational directory. You'll make this choice if you're an ISV providing a utility tool to your customers. You'll need your customers' tenant admins to approve it.
Authentication - no reply URI needed
In the case where your confidential client application uses only the client credentials flow, the reply URI doesn't need to be registered. It's not needed for the application configuration or construction. The client credentials flow doesn't use it.
API permissions - app permissions and admin consent
A daemon application can request only application permissions to APIs (not delegated permissions). On the API permissions page for the application registration, after you've selected Add a permission and chosen the API family, choose Application permissions, and then select your permissions.
The web API that you want to call needs to define application permissions (app roles), not delegated permissions. For details on how to expose such an API, see Protected web API: App registration - when your web API is called by a daemon app.
Daemon applications require that a tenant admin pre-consent to the application calling the web API. Tenant admins provide this consent on the same API permission page by selecting Grant admin consent to our organization
If you're an ISV building a multitenant application, you should read the section Deployment - case of multitenant daemon apps.
Add a client secret or certificate
As with any confidential client application, you need to add a secret or certificate to act as that application's credentials so it can authenticate as itself, without user interaction.
Add client credentials by using the Azure portal
To add credentials to your confidential client application's app registration, follow the steps in Quickstart: Register an application with the Microsoft identity platform for the type of credential you want to add:
Add client credentials by using PowerShell
Alternatively, you can add credentials when you register your application with the Microsoft identity platform by using PowerShell.
The active-directory-dotnetcore-daemon-v2 code sample on GitHub shows how to add an application secret or certificate when registering an application:
- For details on how to add a client secret with PowerShell, see AppCreationScripts/Configure.ps1.
- For details on how to add a certificate with PowerShell, see AppCreationScripts-withCert/Configure.ps1.
Move on to the next article in this scenario, App code configuration.