.. config-entra.rst


.. _configure-entra:


================================
Configuring Microsoft Entra ID
================================

The steps in this section register the container APIs and expose them so they can be used by the calling applications, for example a web app or ITSMs in the customer environment.

.. note:: Most of the registration steps can be performed by an admin user with the *Application Administrator* role. However, to complete some steps a user with the *Global Administrator* role is required as indicated in the procedure.


.. _register-apps:

Registering Apps
==================

In this step you will register the FIDO Connector app and the FIDO Pre-reg Test Client (optional) for testing your deployment.

FIDO Connector App
---------------------

To register the FIDO Connector App, do the following:

1. Sign in to the `Microsoft Entra admin center <https://entra.microsoft.com/>`_ and expand the **Entra ID** section.
2. Click **App registrations**.
3. Click **+ New registration**.
4. Provide a descriptive **Name**, for example “Yubico FIDO Pre-reg Client App”.
5. Select the appropriate **Supported account types**, this defines the account types that can use the app or access the API. For this deployment, “Single tenant only” is sufficient.
6. Click **Register**.
7. Under the **Manage** section for the app, click **Expose an API**. 
8. Click **Add** next to the **Application ID URI**.
9. Edit the **Application ID URI** to a value like ``api://fido-connector-api.{verified domain name}``.

   * The verified domain name can be either a custom domain that has been verified by the tenant, or you can use the default domain that ends with “.onmicrosoft.com”.
   * The Application ID URI represents the scope that clients will use when authenticating to call the API. This value will be used in the ARM template for ``FIDO_Connector_Allowed_Audiences``. The URI does not need to be resolvable, but should have a descriptive scope name.
   * Save the value of the **URI** for later use.
10. Click **Save**.
11. Under **Manage** > **Expose an API**, click **+ Add a scope** and set the following:

    * For **Scope name** and **Admin consent display name**, enter “**create_request**".
    * For **Consent**, select “Admins only”.
    * For the **Admin consent description**, enter “Allows Yubico FIDO Pre-reg requests”.
12. Click **Add scope**.
13. Under **Manage**, click **Certificates & secrets**.
14. Click **+ New client secret**.
15. Provide a **Description**, for example “YFPR Service - Client Secret”, and use the recommended **Expires** option.
16. Click **Add**.
17. Save the **Value** of the **Secret ID** for later use in the ARM template for the ``FIDO_Connector_Client_Secret``.
18. In the Microsoft Entra Admin center, click **Overview** for the FIDO Connector app.
19. Save the **Application (client) ID** value for later use in the ARM template for the ``FIDO_Connector_Client_Id``.

For more information, see `Register an application with the Microsoft identity platform (Microsoft documentation) <https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate>`_.


FIDO Pre-reg Test Client
--------------------------

Registering this app is *optional*. However, the app is useful when testing direct calls to the FIDO Connector App. The application credentials created here can be used in a Postman test client or any other HTTP test client when testing the app deployment.

To register the FIDO Pre-reg Test Client app, do the following:

1. Sign in to the `Microsoft Entra admin center <https://entra.microsoft.com/>`_ and expand the **Entra ID** section.
2. Click **App registrations**.
3. Click **+ New registration**.
4. Provide a descriptive **Name** like “Yubico FIDO Pre-reg Test Client” and click **Register**.
5. Under **Manage**, select **API permissions**.
6. Click **+ Add a permission**.
7. Click **APIs my organization uses** at the top.
8. Search for **Credential-Container-API** and select the API in the list.
9. Select **create_request**.
10. Click **Add permissions**.
11. Under **Manage**, click **Certificates & secrets**.
12. Click **+ New client secret**.
13. Provide a **Description**, for example “YFPR Service - Client Secret”, and use the recommended **Expires** option.
14. Click **Add**.

The app credentials you created here will be used later when testing the app deployment. For more information, see :ref:`test-deployment`.