Application (app) registrations are entries in AzureAD that are used to provide cloud-based authentication for applications, for example when using Open ID Connect. This is an advanced subject that requires some in-depth technical knowledge. We recommend you familiarise yourself with app registrations using Microsoft’s developer documentation.
App registrations in Toolkit are split into two categories, institutional and personal. If no institution is selected, a list of personal registrations is shown. If a single institution is selected, you can add and edit app registrations for that institution. If you are not an owner of the app registration, you can only view the details.
You can add, edit, delete and export registrations via the buttons at the top right of the Application Registrations page.
Add an application registration
To add an app registration, select ‘Add’ at the top of the Application Registrations page to open a drawer where you can specify the initial details for a new registration.
View the selected application registration
To view an app registration, double-select the app registration entry in the available list.
Edit the selected application registration
To edit an app registration, select ‘Edit’ at the top of the Application Registrations page or double-select an entry. A drawer will open with details of the registration.
Display name
The display name is the name of the application registration. It will be displayed as part of the authentication process.
Move an application (if you are an institutional admin)
App registrations you have created will appear in your list of personal app registrations.
The button next to the display name allows you to move an application between a personal application and an institutional application. When moving an application to an institution select the destination institution first using the dropdown.
Description
This is not visible to users
Disable application registration login
Ticking this option will block users from authenticating using this app registration
Require group membership
Ticking this option will require authenticating users to be members of at least one of the groups associated with the app registration This option is 'on' by default for new application registrations. The list of associated groups can be found in the 'Configuration' tab.
Secrets
A client secret is a password your application uses to ensure that only it can access the app registration. Multiple secrets can be present simultaneously, and all are equally valid. Select ‘Add’ to enter a display name and a lifetime of the secret (up to a maximum of 24 months). After a short delay, the secret value will be displayed. This is the only time these values will be displayed, so you must make a note of them before closing the window.
Reply URLs
A reply URL is required to allow the app registration to redirect a user's browser back to your application after authentication. More than one URL is allowed. Each URL can refer to a web app (WEB) or a single-page application (SPA). Select ‘Add’ to specify the type and value of the new entry.
URLs must be HTTPS unless they refer to localhost.
Owners
A registration can have multiple owners. Owners can view and edit the registration via Toolkit. By default, the current Toolkit user will be assigned as an owner, but additional users can be added. There must always be at least one owner.
Delete selected application
After confirmation, this will permanently remove the specified application from Azure.
Graph API Permissions tab
Displays the currently assigned API permissions. Toolkit applies a minimal set of permissions by default.
Configuration tab
Displays information for configuring your application to use this registration. The group assignments section details the group IDs which will be returned as a GUID in the claims.
The default groups returned are:
| Group Name | Description |
|---|---|
| azure-users-staff | listed in the CHRIS data feed as a current member of university staff* |
| azure-users-students | listed in the CamSIS data feed as a current student* |
| azure-users-alumni | all alumni accounts (with a UPN of <crsid>@cantab.ac.uk) |
| azure-users-cam-upn | all regular user accounts (with a UPN of <crsid>@cam.ac.uk). Roughly equivalent to the list of users authenticated by the old ucam-webauth protocol. |
| azure-user-guests | all guest accounts in Azure (external users invited to Teams or SharePoint) |
| azure-users-all | all accounts in Azure |
* a user may be in both the CamSIS and CHRIS data feeds
App manifest tab
Displays a definition of all the attributes of the current application object in Azure