In this demonstration, we are going to register an application in Azure AD (also called a service principal). We are going to give this service principal permission to access Azure resources. In this example, we are going to create a user in Azure AD using the Microsoft Graph.

We are going to use Postman as an API client to create the requests to the Graph. Under the Technical requirements section at the beginning of this chapter, you can click the link to install Postman. 

To register the application in the Azure portal, we need to perform the following steps:

1. Navigate to the Azure portal by opening https://portal.azure.com.
2. In the left menu, select Azure Active Directory.

3. In the Azure Active Directory overview blade, click App Registrations and, then in the top menu, + New registration:

4. In the App registration blade, add the following values:
   • Name: PacktADApp.
   • Supported account types: Accounts in this organizational directory only. There are three options here: the first will create a single-tenant app. This only has access to the Azure AD tenant where it is created. The second one, Accounts in any organizational directory, creates a multitenant app. You can access other Azure AD tenants with this registration as well. The last one creates a multi-tenant app as well, and besides work and school accounts, you can also log in with personal Microsoft accounts, such as outlook.com accounts.
   • Redirect URI: Here, you can fill in https://localhost because we don't actually have a real application where, after finishing the authentication process, the user needs to be redirected to:

Click Register.

5. During registration, Azure AD will assign your application a unique client identifier (the Application ID). You need this value in the next sections, so copy it from the application page.
6. Find your registered application in the Azure portal, click App registrations again, and then click View all applications.

7. The next step is to create an app secret. Therefore, from the application blade, on the left menu, click Certificates & secrets. In there, click + New client secret:

8. Add the following values:
   • Description: Key1.
   • Expires: In 1 year. You can also choose: In 2 years or never.
9. Click Add.
10. Then, copy the client secret, because it's only displayed once: 

11. Now that we have an application ID and a secret, we can set the appropriate permissions for the application. Therefore, in the left menu, select API permissions.
12. In the API permissions blade, you can see that one permission is already added: you are allowed to log in and read your own user profile. Click + Add a permission:

13. In the Request API permissions blade, select the Microsoft Graph. In there, you can choose between two different types of permissions, Delegated permissions and Application permissions. The former gives you access to the API as the signed-in user. So, all of the permissions that the user has also apply to the data that can be accessed by the application. The latter basically creates a sort of service account that has access to all users in a tenant, all security groups, all Office 365 resources, and more. For this example, we want to create a new user in Azure AD. Normal users typically don't have the permissions to access Azure AD, so we have to select Application permissions for this.
14. After selecting the application permissions, all of the available permissions are displayed. We need to unfold the Directory item and then choose Directory.ReadWrite.All:

15. Click Add permissions.
16. Because we are using application permissions, an administrator needs to grant admin consent as well. Therefore, you need to click the Grant admin consent for...  and then, in the popup, log in with your administrator credentials and accept the license terms:

17. Now this application has the permissions to add a new user to the Azure Active Directory tenant:

18. At last, select Azure Active Directory from the left menu again, and then under Manage, click Properties. In there, copy the Azure AD tenant ID. We need this to set up the request to Azure AD using the Microsoft Graph in the next section.

This concludes the first part of the demo. In the next section, we are going to implement tokens.