Configuring Microsoft Entra ID

The steps in this section register the container APIs and expose them so they can be used by the calling applications, for example a web app or ITSMs in the customer environment.

Note

Most of the registration steps can be performed by an admin user with the Application Administrator role. However, to complete some steps a user with the Global Administrator role is required as indicated in the procedure.

Registering Apps

In this step you will register the FIDO Connector app and the FIDO Pre-reg Test Client (optional) for testing your deployment.

FIDO Connector App

To register the FIDO Connector App, do the following:

  1. Sign in to the Microsoft Entra admin center and expand the Entra ID section.
  2. Click App registrations.
  3. Click + New registration.
  4. Provide a descriptive Name, for example “Yubico FIDO Pre-reg Client App”.
  5. Select the appropriate Supported account types, this defines the account types that can use the app or access the API. For this deployment, “Single tenant only” is sufficient.
  6. Click Register.
  7. Under the Manage section for the app, click Expose an API.
  8. Click Add next to the Application ID URI.
  9. Edit the Application ID URI to a value like api://fido-connector-api.{verified domain name}.
    • The verified domain name can be either a custom domain that has been verified by the tenant, or you can use the default domain that ends with “.onmicrosoft.com”.
    • The Application ID URI represents the scope that clients will use when authenticating to call the API. This value will be used in the ARM template for FIDO_Connector_Allowed_Audiences. The URI does not need to be resolvable, but should have a descriptive scope name.
    • Save the value of the URI for later use.
  10. Click Save.
  11. Under Manage > Expose an API, click + Add a scope and set the following:
    • For Scope name and Admin consent display name, enter “create_request”.
    • For Consent, select “Admins only”.
    • For the Admin consent description, enter “Allows Yubico FIDO Pre-reg requests”.
  12. Click Add scope.
  13. Under Manage, click Certificates & secrets.
  14. Click + New client secret.
  15. Provide a Description, for example “YFPR Service - Client Secret”, and use the recommended Expires option.
  16. Click Add.
  17. Save the Value of the Secret ID for later use in the ARM template for the FIDO_Connector_Client_Secret.
  18. In the Microsoft Entra Admin center, click Overview for the FIDO Connector app.
  19. Save the Application (client) ID value for later use in the ARM template for the FIDO_Connector_Client_Id.

For more information, see Register an application with the Microsoft identity platform (Microsoft documentation).

FIDO Pre-reg Test Client

Registering this app is optional. However, the app is useful when testing direct calls to the FIDO Connector App. The application credentials created here can be used in a Postman test client or any other HTTP test client when testing the app deployment.

To register the FIDO Pre-reg Test Client app, do the following:

  1. Sign in to the Microsoft Entra admin center and expand the Entra ID section.
  2. Click App registrations.
  3. Click + New registration.
  4. Provide a descriptive Name like “Yubico FIDO Pre-reg Test Client” and click Register.
  5. Under Manage, select API permissions.
  6. Click + Add a permission.
  7. Click APIs my organization uses at the top.
  8. Search for Credential-Container-API and select the API in the list.
  9. Select create_request.
  10. Click Add permissions.
  11. Under Manage, click Certificates & secrets.
  12. Click + New client secret.
  13. Provide a Description, for example “YFPR Service - Client Secret”, and use the recommended Expires option.
  14. Click Add.

The app credentials you created here will be used later when testing the app deployment. For more information, see Testing the Deployment.