Securing Applications with Microsoft Entra ID (Azure AD)

# Securing Applications with Microsoft Entra ID (Azure AD) *This article is Part 3, Chapter 3.1 of the **AZ-204 Exam Refresher** series. We open the security domain by covering identity — how your apps authenticate users and call protected APIs using Microsoft Entra ID (formerly Azure Active Directory) and MSAL.* --- ## Introduction Every application eventually needs to answer the question: *who is this user, and what are they allowed to do?* In the Azure ecosystem, that answer runs through **Microsoft Entra ID** — the identity platform that underpins Microsoft 365, Azure, and your own custom apps. The exam doesn't expect you to be an OAuth 2.0 RFC expert, but it does expect you to know how to register an application, acquire tokens, and protect your APIs. These are skills you'll use constantly in production. --- ## Core Concepts ### App Registrations An **app registration** is your application's identity card in Entra ID. You create one to tell the identity platform: "this app exists, here's what it needs access to." Every app registration gets: - **Application (client) ID** — the app's unique identifier, used in all OAuth flows - **Directory (tenant) ID** — which Entra tenant this app belongs to - **Client credentials** — either a secret or a certificate for confidential clients ```bash # Register an app via CLI az ad app create --display-name "MyApi" --sign-in-audience "AzureADMyOrg" # Add a client secret az ad app credential reset --id --years 1 ```