TABLE OF CONTENTS

• Application Registrations for ILAP Analytics
• 1. Create UI Application Registration
  • Additional Configuration:
• 2. Create API Application Registration
• 3. Define Application Roles
• 4. Expose API
• 5. Add API Permissions to UI App
  • Adding Microsoft Graph Permissions:
  • Adding API Permission for UI
• 6. Add Desktop Platform for IDE Client
• 7. Assign Application Owners
• 8. Add Users to Enterprise Applications
• Checklist

Application Registrations for ILAP Analytics

This guide explains how to configure application registrations for ILAP Analytics in your Corporate Entra ID. These registrations enable authentication, authorization, and API connectivity between the ILAP Analytics components.

1. Create UI Application Registration

Follow these steps to register the user interface (UI) application:

1. Go to App Registrations in your Corporate Entra ID
   

2. Click New Registration.

3. Enter a name for the application and select:

   • Accounts in this organizational directory only.

4. For the Redirect URI, select Single-page application and enter your web application’s URL.

Additional Configuration:

5. Click Authentication in the left menu, the click Add a platform and configure settings.

6. Enable Public client follow in the platform settings.

2. Create API Application Registration

Register the API application for backend operations:

1. Go to App Registrations in your Corporate Entra ID.

2. Click New Registration.

3. Enter a name for the API application and select:

   • Accounts in this organizational directory only.

3. Define Application Roles

Add roles to manage permissions for different user groups:

1. Navigate to the API Application Registration.

2. Select App Roles from the left menu and create and enable

3. the following roles:

   Display name	Value	Description	Allowed member types
   Admins	Administrator	Can read/write data and manage metadata.	Users/Groups
   Writer	DataWriter	Can write data but cannot modify metadata.	Both (Users/Groups + Appications)
   Reader	DataReader	Can only read data.	Both (Users/Groups + Appications)

   
   
   
   

4. Expose API

Expose the API to enable connectivity between the UI and backend:

1. Navigate to Expose an API.

2. Add an Application ID URI:

   • Click Add and use the default value. Click save.

3. Add API Scopes:

   • user_impersonation: Allows the UI to act on behalf of signed-in users.

   • read: Grants read-only access.

     Scope name	Who can consent?	Admin consent display name	Admin consent description	User consent display name	User consent description	State
     user_impersonation	Admins and users	Access ilap-ilapanalytics-api-dev	Allow the application to access app-ilapanalytics-api-dev on behalf of the signed-in user.	Access ilap-ilapanalytics-api-dev	Allow the application to access app-ilap-analytics-api-dev on your behalf.	Enabled
     read	Admins and users	Read ilap analytics data	Read ilap analytics data	Read ilap analytics data	Read ilap analytics data	Enabled

     
     

5. Add API Permissions to UI App

Grant API access to the UI application:

1. Go to the UI Application Registration.

2. Select API Permissions > Add a permission.
   

3. Choose APIs my organization uses and find the API you just registered.

4. Assign delegated permissions:user_impersonation

   • This allows the UI to access the API on behalf of users.

Adding Microsoft Graph Permissions:

5. Under API Permissions, click Add a permission → Microsoft Graph → Delegated Permissions.

6. Select:

   • email: Access user email addresses.

   • offline_access: Maintain access to data you have given access to

   • openid: Enable user sign-in.

   • profile: Access user basic profile information.

Adding API Permission for UI

7. Under API Permissions, click Add a permission → APIs my organization uses and select the API you exposed in step 4.

8. Select:

   • read

   • user_impersonation

9. Click Grant admin consent to approve these permissions for all users in your organization.

   Granting admin consent ensures seamless access for all users without manual approvals during sign-in.

6. Add Desktop Platform for IDE Client

If using the IDE desktop client (e.g., ILAP Adapter), configure the redirect URI:

1. Go to the UI Application Registration.

2. Under Authentication, add a new platform:

   • Select Mobile and Desktop Applications.

     
     
     

   • Add the redirect URI: http://localhost/oauth2/callback.

7. Assign Application Owners

To ensure proper management, assign owners to the applications:

1. Go to the Application Registration Overview.

2. Select Owners > Add Owners.

3. Choose at least one (preferably two) permanent employee.

8. Add Users to Enterprise Applications

Grant users or groups access to the application:

1. Go to Enterprise Applications in Entra ID.

2. Search for the API application (e.g., "ILAP Analytics API").
   

3. Select Users and Groups > Add User/Group.
   

4. Assign users or groups to one of the defined roles (Admins, Writers, Readers).

Checklist

• Registered UI and API Applications in Entra ID.

• Defined App Roles for Admins, Writers, and Readers.

• Exposed API and configured API Scopes.

• Added API permissions to the UI application and granted admin consent.

• Configured a desktop platform (if applicable).

• Assigned application owners and added users/groups.