Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
2.3.2. App Registrations and Permission Scopes
💡 First Principle: App registrations define your application's identity in Microsoft Entra ID. Permission scopes define what APIs your application can call and what data it can access.
Scenario: You're developing an application that needs to read user profiles and send emails on behalf of users. You must register the application and request appropriate permissions.
App Registration Key Settings
- Application (client) ID: Unique identifier for your app
- Directory (tenant) ID: Your Entra ID tenant
- Redirect URIs: Where authentication responses are sent
- Credentials: Client secrets or certificates for authentication
- API permissions: What APIs the app can access
Permission Types
| Type | Description | Consent Required |
|---|---|---|
| Delegated permissions | App acts on behalf of signed-in user | User or admin |
| Application permissions | App acts as itself (no user context) | Admin only |
OpenID Connect Scopes
- openid: Required, enables sign-in
- profile: Access to user's basic profile
- email: Access to user's primary email address
- offline_access: Enables refresh tokens for extended access
⚠️ Exam Trap: Confusing scopes with permissions. A scope defines what capability you're requesting (e.g., read emails). A permission is granted consent to use that scope. Without consent, having the scope configured does nothing.
Written byAlvin Varughese
Founder•15 professional certifications