Create an app registration to use with Azure Digital Twins (portal)
When working with an Azure Digital Twins instance, it's common to interact with that instance through client applications, such as the custom client app built in Code a client app. Those applications need to authenticate with Azure Digital Twins to interact with it, and some of the authentication mechanisms that apps can use involve an Azure Active Directory (Azure AD) app registration.
The app registration isn't required for all authentication scenarios. However, if you're using an authentication strategy or code sample that does require an app registration, this article shows you how to set one up using the Azure portal. It also covers how to collect important values that you'll need to use the app registration to authenticate.
Azure AD app registrations
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. Setting up an app registration in Azure AD is one way to grant a client app access to Azure Digital Twins.
This app registration is where you configure access permissions to the Azure Digital Twins APIs. Later, client apps can authenticate against the app registration using the registration's client and tenant ID values, and as a result be granted the configured access permissions to the APIs.
You may prefer to set up a new app registration every time you need one, or to do this only once, establishing a single app registration that will be shared among all scenarios that require it.
Create the registration
Start by navigating to Azure Active Directory in the Azure portal (you can use this link or find it with the portal search bar). Select App registrations from the service menu, and then + New registration.
In the Register an application page that follows, fill in the requested values:
- Name: An Azure AD application display name to associate with the registration
- Supported account types: Select Accounts in this organizational directory only (Default Directory only - Single tenant)
- Redirect URI: An Azure AD application reply URL for the Azure AD application. Add a Public client/native (mobile & desktop) URI for
When you're finished, select the Register button.
When the registration is finished setting up, the portal will redirect you to its details page.
Collect important values
Next, collect some important values about the app registration that you'll need to use the app registration to authenticate a client application. These values include:
- resource name
- client ID
- tenant ID
- client secret
To work with Azure Digital Twins, the resource name is
The following sections describe how to find the other values.
Collect client ID and tenant ID
The client ID and tenant ID values can be collected from the app registration's details page in the Azure portal:
Take note of the Application (client) ID and Directory (tenant) ID shown on your page.
Collect client secret
To set up a client secret for your app registration, start on your app registration page in the Azure portal.
Select Certificates and secrets from the registration's menu, and then select + New client secret.
Enter whatever values you want for Description and Expires, and select Add.
Verify that the client secret is visible on the Certificates & secrets page with Expires and Value fields.
Take note of its Secret ID and Value to use later (you can also copy them to the clipboard with the Copy icons).
Make sure to copy the values now and store them in a safe place, as they can't be retrieved again. If you can't find them later, you'll have to create a new secret.
Provide Azure Digital Twins API permission
Next, configure the app registration you've created with baseline permissions to the Azure Digital Twins APIs.
From the portal page for your app registration, select API permissions from the menu. On the following permissions page, select the + Add a permission button.
In the Request API permissions page that follows, switch to the APIs my organization uses tab and search for Azure digital twins. Select Azure Digital Twins from the search results to continue with assigning permissions for the Azure Digital Twins APIs.
If your subscription still has an existing Azure Digital Twins instance from the previous public preview of the service (before July 2020), you'll need to search for and select Azure Smart Spaces Service instead. This is an older name for the same set of APIs (notice that the Application (client) ID is the same as in the screenshot above), and your experience won't be changed beyond this step.
Next, you'll select which permissions to grant for these APIs. Expand the Read (1) permission and check the box that says Read.Write to grant this app registration reader and writer permissions.
Select Add permissions when finished.
On the API permissions page, verify that there's now an entry for Azure Digital Twins reflecting Read/Write permissions:
You can also verify the connection to Azure Digital Twins within the app registration's manifest.json, which was automatically updated with the Azure Digital Twins information when you added the API permissions.
To do so, select Manifest from the menu to view the app registration's manifest code. Scroll to the bottom of the code window and look for the following fields and values under
These values are shown in the screenshot below:
If these values are missing, retry the steps in the section for adding the API permission.
Other possible steps for your organization
It's possible that your organization requires more actions from subscription Owners/administrators to successfully set up an app registration. The steps required may vary depending on your organization's specific settings.
Here are some common potential activities that an Owner/administrator on the subscription may need to do. These and other operations can be performed from the Azure AD App registrations page in the Azure portal.
Grant admin consent for the app registration. Your organization may have Admin Consent Required globally turned on in Azure AD for all app registrations within your subscription. If so, the Owner/administrator will need to select this button for your company on the app registration's API permissions page for the app registration to be valid:
If consent was granted successfully, the entry for Azure Digital Twins should then show a Status value of Granted for (your company)
Activate public client access
Set specific reply URLs for web and desktop access
Allow for implicit OAuth2 authentication flows
For more information about app registration and its different setup options, see Register an application with the Microsoft identity platform.
In this article, you set up an Azure AD app registration that can be used to authenticate client applications with the Azure Digital Twins APIs.
Next, read about authentication mechanisms, including one that uses app registrations and others that don't: