5.3 Create Application Registrations in Microsoft Entra ID

In your Microsoft Entra ID directory, create two application registrations: one for the database and one for the Spring Boot application. This step establishes trust between the application, the database resource, and Microsoft Entra ID.

Note:

The Microsoft Entra portal interface may be updated over time. If a specific label or navigation path differs from the instructions provided here, look for the closest matching option.

• Register the Database Resource

• Register the Spring Boot Application

5.3.1 Register the Database Resource

Register your database by creating an application in Microsoft Entra ID so that access tokens can be issued specifically for the database. Subsequently, expose this application registration as a web API to manage client access, and define a scope to control which applications can request database-access tokens.

1. Create an application registration in Microsoft Entra ID to represent the database.
   1. Log in to the Microsoft Entra Portal.
   2. In the left navigation pane, expand Entra ID, click App registrations, and then click New registration.
   3. Perform the following tasks on the Register an application page:
      1. Enter EmployeeRecordsDB in the Name field.
      2. For Supported account types, select Single tenant only - Default Directory.
      3. Click Register.

      The application is successfully created for your database.
   4. From the application’s Overview page, copy and save the following values for later use:
      • Application (client) ID (referenced later as [DB_APP_ID]).
      • Directory (tenant) ID (referenced later as [TENANT_ID]).
2. Expose the database's application registration as a web API, and define a scope to control access for client applications.
   1. On the application’s Overview page, click Add an Application ID URI.
      The Expose an API page opens.
   2. Add an application ID URI.
      1. Click Add next to Application ID URI.
      2. In the panel that appears, update the default URI by replacing api:// with https://<your-entraID-domain>/, then click Save.

         The resulting application ID URI should resemble: https://supremo.onmicrosoft.com/fe58fefb-0925-4c8f-9b14-598a0d2f4552.

      3. Copy this URI for later use (referenced later as [DB_APP_ID_URI]).
   3. Add a scope.
      1. Under Scopes defined by this API, click Add a scope.
      2. In the panel that appears, enter the following information:
         • Scope name: sessions:scope:connect.
         • Who can consent: Select Admins and users.
         • Enter Access Oracle Database as the value in all remaining fields.
         • Click Add scope.

5.3.2 Register the Spring Boot Application

Register the Spring Boot application by creating an application in Microsoft Entra ID and authorize it to request access tokens for your database.

This application serves two purposes: it is a confidential client that authenticates to Entra ID using a client secret, and it is also the resource server that end users authenticate against when calling the API. The application role defined on this registration flows into the user’s JWT roles claim, which the database reads to activate the matching data role.

1. Create an application registration in Microsoft Entra ID to represent the Spring Boot application.
   1. On the Microsoft Entra portal's Home page, click App registrations in the left navigation pane under Entra ID, and then click New registration.
   2. Perform the following tasks on the Register an application page:
      1. Enter EmployeeRecordsAPI in the Name field.
      2. For Supported account types, select Single tenant only - Default Directory.
      3. Under Redirect URI, select Web from the drop-down field, and enter http://localhost:3000.
      4. Click Register.

      The application is successfully created for your Spring Boot application.
   3. From the application’s Overview page, copy and save the Application (client) ID (referenced later as [EMP_RECORDS_APP_ID]).
2. Set the application ID URI.
   This makes EmployeeRecordsAPI a resource, allowing users and other applications to request tokens scoped to it.
   1. On the application’s Overview page, click Add an Application ID URI.
   2. Perform the following tasks on the Expose an API page:
      1. Click Add next to Application ID URI.
      2. In the panel that appears, accept the default value api://<your-app-id>, then click Save.
      3. Copy this URI for later use (referenced later as [EMP_RECORDS_APP_ID_URI]).
3. Expose a delegated scope so that end users can request access tokens for the Spring Boot API.
   This scope ensures that the access token issued to the user includes their identity and application role assignments. Perform the following tasks on the Expose an API page:
   1. Under Scopes defined by this API, click Add a scope.
   2. In the panel that appears, enter the following information:
      1. Scope name: Enter access_as_user.
      2. Who can consent: Select Admins and users.
      3. Enter Access EmployeeRecordsAPI as the value in all remaining fields.

      Click Add scope.
4. Create a client secret.
   A client secret is the application’s password. The Spring Boot application uses it to authenticate to Entra ID when requesting database-scoped access tokens.
   1. On the EmployeeRecordsAPI application page, under Manage, click Certificates & secrets.
      The Certificates & secrets page opens.
   2. Click New client secret and enter the following details:
      • Enter a description; for example, employee-records-api-secret.
      • Set an expiry period according to your organization’s policy.

      Click Add.
   3. Copy the Value column immediately. It is only shown once. Save it as [CLIENT_SECRET].
5. Grant permissions to the Spring Boot application.
   You must explicitly authorize the application (EmployeeRecordsAPI) to request tokens scoped to the database resource (EmployeeRecordsDB).
   1. On the EmployeeRecordsAPI application page, under Manage, click API permissions, and then click Add a permission.
   2. Perform the following tasks on the Request API permissions panel:
      1. Click APIs my organization uses, and then click EmployeeRecordsDB.
      2. Select Delegated permissions and check the box for sessions:scope:connect.
      3. Click Add permissions.

      The permission is successfully added and appears on the API permissions page.
   3. Click Grant admin consent for Default Directory (or your specific directory name) to authorize the permissions, and select Yes in the confirmation dialog box.
6. Define application roles in Entra ID to manage job functions.
   The application role is how user permissions flow into the JWT token. When a user is assigned the EMPLOYEE role, that string appears in their token’s roles claim. The database reads it and activates the matching data role.
   1. On the EmployeeRecordsAPI application page, under Manage, click App roles.
      The App roles page opens.
   2. Click Create app role and enter the following details:
      • Display name: Enter EMPLOYEE.
      • Allowed member types: Select Users/Groups.
      • Value: Enter EMPLOYEE.
      • Description: Enter Employee role with own-record access.

      Click Apply.
7. Authorize the application as a client of the database application.
   1. At the top of the page, locate the breadcrumb trail, click App registrations.
   2. On the App registrations page, click the database registration, EmployeeRecordsDB.
   3. Under Manage, click Expose an API.
   4. In the Authorized client applications section, click Add a client application.
   5. In the panel that appears, enter the following details:
      1. Paste the application (client) ID of EmployeeRecordsAPI ([EMP_RECORDS_APP_ID]).
      2. Select the database scope.

      Click Add application.