How-To: Set Up App Registrations for Automated Entra ID Administration

Overview

Background

To interact with Entra ID via automation or the command line without using personal user credentials, a Service Principal is required. Standard user accounts often have MFA or conditional access policies that interfere with headless automation; an App Registration provides a controlled, auditable, and secure method for programmatic access.

Before You Start

Configuration Steps

1. Register the Application:
   • Navigate to https://entra.microsoft.com> Entra ID > App Registrations > New Registration.
   • Enter a meaningful display name (e.g. AppName SSO).
   • Under Supported account types, select Accounts in this organisational directory only (Single tenant) unless multi-tenant access is required.
   • Leave the Redirect URI blank.
   • Click Register.
2. Generate Credentials:
   • Go to Certificates & secrets > Client secrets.
   • Create a new secret.
   • Give it a description for future reference.

Copy the secret Value immediately; it will be masked permanently once you leave the blade.

     3. Configure API Permissions:

1. • Go to API permissions > Add a permission > Microsoft Graph.
   • Select Application permissions.
   • Add Application.ReadWrite.All (for SSO/App config) and Directory.Read.All.
   • Select:, Grant admin consent for [Tenant].

    4.  Elevate via Directory Roles (Conditional):

Only perform this step if API permissions above result in "Access Denied" for specific administrative tasks.

• • • Navigate to Identity > Roles & admins.
    • Search for Cloud Application Administrator.
    • Select Add assignments and search for the Name of your App Registration to assign the role directly.

Automated / Script Option - PowerShell

# Define connection variables
$TenantId = "your-tenant-id"
$ClientId = "your-client-id"
$ClientSecret = "your-client-secret" | ConvertTo-SecureString -AsPlainText -Force

# Create credential object for non-interactive login
$Credential = New-Object System.Management.Automation.PSCredential($ClientId, $ClientSecret)

# Connect to Microsoft Graph using the App Registration
# This uses the Client Credentials flow
Connect-MgGraph -TenantId $TenantId -Credential $Credential

# Success Indicator: Retrieve Tenant details to verify connection
Get-MgOrganization | Select-Object DisplayName, Id

Script Breakdown

• Variable Definition: Stores the IDs and secrets generated in the portal. The secret is converted to a SecureString for compatibility with PowerShell credential objects.
• Connect-MgGraph: Establishes the session. Because a Credential object is passed, it bypasses the interactive browser login.
• Get-MgOrganization: A simple test command. If the terminal returns your organisation's name, the authentication was successful.

Troubleshooting

• Cause: The App Registration lacks the specific Graph API scope or the Directory Role required for the task.
• Fix: Ensure Admin Consent was clicked in the portal. If the error persists, assign the Cloud Application Administrator directory role to the app as detailed in the manual steps.

• Cause: An existing interactive session is active in the terminal.
• Fix: Run Disconnect-MgGraph before attempting to connect with the App Registration credentials.

Expected Outcome