App registration in Azure.

First things first: You need to register your app in Azure. You could let a user log in to your tenant. But this is cumbersome for scripts running from the command line. Running it automated, via cron or such, would be hard if possible, at all. So, register your app.

When you’re done you should have the following information:

Tenant id855bb29f-e023-42ed-9a7e-8a5928496f2a
Application idf5ec7b7d-b950-4bb2-bf5d-2eef038312f8
Application secretkXo8Q~vtAKEokWHOiTduq6qxqDDPYZ-zRCU5.as6
Login endpoint[tenant_id]/oauth2/v2.0/token
Graph endpoint
Values are samples

The process of registering an app is documented quite wel. For instance, this site. But it always comes down to registering your application and creating secrets for it. I’ll walk you through both and give you my considerations.

App registration

Below a screenshot of the Azure app registrations in the Azure Active Directory for my development tenant. As you can see there is just one registration for “TestBot”.

A new Azure app registration can be made by clicking on “New registration”. You wil be prompted for some information:

To be quite honest: I’m not sure if it matters a whole lot what you fill in here. I always give a descriptive name, choose for “single tenant” acces and leave the redirect URI blank. The application is going to connect with the app-id and app-secret. Users do not login interactively.

After you click “register” you do get some information:

Please take note of the “Application (client) ID” and “Directory (tenant) ID”. You will need those later.

Keep your registrations as specific as possible. Don’t create a registration which will be used by several apps. Be task specific. That way you can revoke an apps access by removing the registration.

Creating a secret

For an app you’ll need a client secret (or certificate). To make a secret click on “Add a certificate or secret” , click on “New client secret”, fill in name for the secret and choose how long you want the secret to be valid. That’s it, nothing more to it.

Copy the hex string which is given under “Value”. This is the passphrase, you can’t look this up later.

You could also use a certificate. I’ve not tested that. You’re on your own.

Application permissions

You can use the app-id and the app-secret to authenticate you app with MS Azure. But this is only half the work: you’ll have to authorize the app to do “something” with the Graph API.

Authorizations are managed in de “API permissions” section:

Here you see that the default MS Graph permission is “”. Click on “Add a permission” to add a permission. After clicking on “Microsoft Graph” click on “Application permissions” since we are going to use an app to connect to MS Graph.

For now I add “Group.Read.All”, since I’m going to read the groups in the tenant. I can always add persmissions when needed. Please note that admin consent is required for this. This means a tenant administrator has to consent with this persmission.

You can click on “Grant admin consent for …” to consent. Duh šŸ˜€

Permissions is a bit of a bitch. It’s not always clear up front what permission you need to do a certain task. Don’t walk into the pitfall of granting too many permissions. As always, it’s better to give as little as possible. Limit the damage your app can do when going south. Read the documentation for a certain function before granting rights.


Finally, you’ll need 2 endpoints. You can check them for your tenant by clicking on “Endpoints” on the “Overview” page.

You need the “OAuth 2.0 token endpoint (v1)” for authenticating your app and the “Microsoft Graph API endpoint” to make the actual API calls.

Using Perl for MS Graph

Nowadays Perl isn’t the sexiest language on the internet. But it is, and has been for a long time, my favorite scripting language. Not that I’m a perfect programmer in Perl, not by a long shot. But I’m far more at ease with Perl than with something like Node-JS.

For some time now I have been doing administration work in our Microsoft 365 tenant. Used Powershell for that mostly. But lately MS Graph is pushed a bit as the way to do things in the tenant. So, I started learning to do things with MS Graph API calls and learned that it is nothing more than HTTP requests made to an endpoint. Like getting weather info from the “Buienradar API“.

Examples I found kinda always tend to use Node-JS. And I did get some work done using that. But Node-JS is awkward to me, going back to Perl felt like coming home.

This is, will be, a series of articles describing my quest to get “things” working in Perl. You can see my code on

Stay tuned for more.

Articles in this serie

App registration in Azure.: Nothing goes in Azure without a registration. Not the most fun part, but necessary to get things going.