Skip to content

App Registration Setup

Jump to bottom
Sebastian F. Markdanner [MVP] edited this page May 11, 2026 · 2 revisions

The portal needs a Microsoft Entra ID single-page application registration in your tenant. This page covers creating it manually so you can supply its application (client) ID to the self-hosted deployment.

If you only want to use the managed portal at https://portal.pimactivation.com, you do not need to create your own app registration — the multi-tenant managed app handles consent for you.

Create the app registration

  1. Sign in to the Microsoft Entra admin center with an account that can create app registrations (typically Application Administrator or higher).
  2. Go to IdentityApplicationsApp registrationsNew registration.
  3. Fill in:
    • Name: PIMActivation Portal (or whatever you prefer).
    • Supported account types: Accounts in this organizational directory only (single tenant).
    • Redirect URI: leave blank for now — you'll add it after the SWA exists. If you already know the URL, choose Single-page application (SPA) and enter https://<your-swa-hostname> (no trailing slash).
  4. Click Register.
  5. Copy the Application (client) ID — you'll pass it to the Bicep template as applicationClientId.

Configure the SPA platform

After deployment finishes (or any time you know the final URL):

  1. Open your app registration → Authentication.
  2. Under Platform configurations, click Add a platformSingle-page application.
  3. Add the redirect URIs from the redirectUris deployment output. Typically:
    • https://<swa-hostname> (the generated *.azurestaticapps.net URL)
    • https://<your-custom-domain> if you supplied customDomain
  4. Save.

The deployment script attempts to do steps 2–4 automatically through Microsoft Graph. It only succeeds if the deployment identity owns the app registration or has appropriate Microsoft Graph application-write permissions. If the deployment log shows a Microsoft Graph permission warning, do these steps manually.

Configure API permissions

Add the delegated permissions listed in Permissions Reference:

  1. App registration → API permissionsAdd a permission.
  2. Select Microsoft GraphDelegated permissions and add each Graph scope from the reference page.
  3. Select Add a permissionAzure Service ManagementDelegated permissions → tick user_impersonation.
  4. If your tenant requires admin consent, click Grant admin consent for <tenant> — or use the adminConsentUrl output from the deployment for a clickable link.

What you do not need

  • Client secrets / certificates. The portal uses delegated, browser-side authentication only. Adding a client secret to the app registration is not necessary and is discouraged for SPAs.
  • Application permissions. None are used. Adding them only widens the blast radius if the app registration is ever compromised.
  • Implicit grant tokens. Leave Implicit grant and hybrid flows disabled. The portal uses the authorization code flow with PKCE.

Multi-tenant deployments

The self-hosted Bicep template assumes a single-tenant app registration. If you deliberately want to deploy a portal that other tenants can sign in to, change Supported account types to multi-tenant when registering and pass organizations (or common) as tenantId to the Bicep template. Be aware that allowing other tenants to consent to your application means the consent screen and admin consent flow apply to them too.

Live portal · Repository · Issues · Discussions · Changelog · PIMActivation PowerShell module

Get started

Use the portal

Run your own copy

Build and contribute

Live portal · Repository · PowerShell module

Clone this wiki locally