Create an app registration to use with Azure Digital Twins (portal)

When working with an Azure Digital Twins instance, it's common to interact with that instance through client applications, such as the custom client app built in Code a client app. Those applications need to authenticate with Azure Digital Twins to interact with it, and some of the authentication mechanisms that apps can use involve an Azure Active Directory (Azure AD) app registration.

The app registration isn't required for all authentication scenarios. However, if you're using an authentication strategy or code sample that does require an app registration, this article shows you how to set one up using the Azure portal. It also covers how to collect important values that you'll need to use the app registration to authenticate.

Azure AD app registrations

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. Setting up an app registration in Azure AD is one way to grant a client app access to Azure Digital Twins.

This app registration is where you configure access permissions to the Azure Digital Twins APIs. Later, client apps can authenticate against the app registration using the registration's client and tenant ID values, and as a result be granted the configured access permissions to the APIs.

Tip

You may prefer to set up a new app registration every time you need one, or to do this only once, establishing a single app registration that will be shared among all scenarios that require it.

Create the registration

Start by navigating to Azure Active Directory in the Azure portal (you can use this link or find it with the portal search bar). Select App registrations from the service menu, and then + New registration.

Screenshot of the Azure AD service page in the Azure portal, showing the steps to create a new registration in the 'App registrations' page.

In the Register an application page that follows, fill in the requested values:

  • Name: An Azure AD application display name to associate with the registration
  • Supported account types: Select Accounts in this organizational directory only (Default Directory only - Single tenant)
  • Redirect URI: An Azure AD application reply URL for the Azure AD application. Add a Public client/native (mobile & desktop) URI for http://localhost.

When you're finished, select the Register button.

Screenshot of the 'Register an application' page in the Azure portal with the described values filled in.

When the registration is finished setting up, the portal will redirect you to its details page.

Collect important values

Next, collect some important values about the app registration that you'll need to use the app registration to authenticate a client application. These values include:

  • resource name
  • client ID
  • tenant ID
  • client secret

To work with Azure Digital Twins, the resource name is http://digitaltwins.azure.net.

The following sections describe how to find the other values.

Collect client ID and tenant ID

The client ID and tenant ID values can be collected from the app registration's details page in the Azure portal:

Screenshot of the Azure portal showing the important values for the app registration.

Take note of the Application (client) ID and Directory (tenant) ID shown on your page.

Collect client secret

To set up a client secret for your app registration, start on your app registration page in the Azure portal.

  1. Select Certificates and secrets from the registration's menu, and then select + New client secret.

    Screenshot of the Azure portal showing an Azure AD app registration and a highlight around 'New client secret'.

  2. Enter whatever values you want for Description and Expires, and select Add.

    Screenshot of the Azure portal while adding a client secret.

  3. Verify that the client secret is visible on the Certificates & secrets page with Expires and Value fields.

  4. Take note of its Secret ID and Value to use later (you can also copy them to the clipboard with the Copy icons).

    Screenshot of the Azure portal showing how to copy the client secret value.

Important

Make sure to copy the values now and store them in a safe place, as they can't be retrieved again. If you can't find them later, you'll have to create a new secret.

Provide Azure Digital Twins API permission

Next, configure the app registration you've created with baseline permissions to the Azure Digital Twins APIs.

From the portal page for your app registration, select API permissions from the menu. On the following permissions page, select the + Add a permission button.

Screenshot of the app registration in the Azure portal, highlighting the 'API permissions' menu option and 'Add a permission' button.

In the Request API permissions page that follows, switch to the APIs my organization uses tab and search for Azure digital twins. Select Azure Digital Twins from the search results to continue with assigning permissions for the Azure Digital Twins APIs.

Screenshot of the 'Request API Permissions' page search result in the Azure portal showing Azure Digital Twins.

Note

If your subscription still has an existing Azure Digital Twins instance from the previous public preview of the service (before July 2020), you'll need to search for and select Azure Smart Spaces Service instead. This is an older name for the same set of APIs (notice that the Application (client) ID is the same as in the screenshot above), and your experience won't be changed beyond this step. Screenshot of the 'Request API Permissions' page search result showing Azure Smart Spaces Service in the Azure portal.

Next, you'll select which permissions to grant for these APIs. Expand the Read (1) permission and check the box that says Read.Write to grant this app registration reader and writer permissions.

Screenshot of the 'Request API Permissions' page and selecting 'Read.Write' permissions for the Azure Digital Twins APIs in the Azure portal.

Select Add permissions when finished.

Verify success

On the API permissions page, verify that there's now an entry for Azure Digital Twins reflecting Read/Write permissions:

Screenshot of the API permissions for the Azure AD app registration in the Azure portal, showing 'Read/Write Access' for Azure Digital Twins.

You can also verify the connection to Azure Digital Twins within the app registration's manifest.json, which was automatically updated with the Azure Digital Twins information when you added the API permissions.

To do so, select Manifest from the menu to view the app registration's manifest code. Scroll to the bottom of the code window and look for the following fields and values under requiredResourceAccess:

  • "resourceAppId": "0b07f429-9f4b-4714-9392-cc5e8e80c8b0"
  • "resourceAccess" > "id": "4589bd03-58cb-4e6c-b17f-b580e39652f8"

These values are shown in the screenshot below:

Screenshot of the manifest for the Azure AD app registration in the Azure portal.

If these values are missing, retry the steps in the section for adding the API permission.

Other possible steps for your organization

It's possible that your organization requires more actions from subscription Owners/administrators to successfully set up an app registration. The steps required may vary depending on your organization's specific settings.

Here are some common potential activities that an Owner/administrator on the subscription may need to do. These and other operations can be performed from the Azure AD App registrations page in the Azure portal.

  • Grant admin consent for the app registration. Your organization may have Admin Consent Required globally turned on in Azure AD for all app registrations within your subscription. If so, the Owner/administrator will need to select this button for your company on the app registration's API permissions page for the app registration to be valid:

    Screenshot of the Azure portal showing the 'Grant admin consent' button under API permissions.

    • If consent was granted successfully, the entry for Azure Digital Twins should then show a Status value of Granted for (your company)

      Screenshot of the Azure portal showing the admin consent granted for the company under API permissions.

  • Activate public client access

  • Set specific reply URLs for web and desktop access

  • Allow for implicit OAuth2 authentication flows

For more information about app registration and its different setup options, see Register an application with the Microsoft identity platform.

Next steps

In this article, you set up an Azure AD app registration that can be used to authenticate client applications with the Azure Digital Twins APIs.

Next, read about authentication mechanisms, including one that uses app registrations and others that don't: