4.2 Create Application Registrations in Microsoft Entra ID

In your Entra ID Default Directory, create two application registrations: one for your database (resource) and one for SQL*Plus (client). This step establishes trust between your client application, database resource, and Microsoft Entra ID.

Note:

The Microsoft Entra portal interface may be updated over time. If a specific label or navigation path differs from the instructions provided here, look for the closest matching option.

• Register the Database Resource

• Register the Client Application

4.2.1 Register the Database Resource

Register your database by creating an application in Microsoft Entra ID so that access tokens can be issued specifically for the database. Subsequently, expose the database application as a web API to manage client access, and define your application-specific roles that govern user permissions.

1. Create an application registration in Microsoft Entra ID to represent the database.
   1. Log in to the Microsoft Entra Portal.
   2. In the left navigation pane, expand Entra ID, click App registrations, and then click New registration.
   3. Perform the following tasks on the Register an application page:
      1. Enter OracleDB_Resource in the Name field.
      2. For Supported account types, select Single tenant only - Default Directory.
      3. Click Register.

      The application is successfully created for your database.
   4. From the application’s Overview page, copy and save the following values for later use:
      • Application (client) ID (referenced later as [DB_APP_ID]).
      • Directory (tenant) ID (referenced later as [TENANT_ID]).
2. Expose the database application as a web API, and define a scope to control access for client applications.
   1. On the application’s Overview page, click Add an Application ID URI.
      The Expose an API page opens.
   2. Add an application ID URI.
      1. Click Add next to Application ID URI.
      2. In the panel that appears, update the default URI by replacing api:// with https://<your-entraID-domain>/, then click Save.

         The resulting application ID URI should resemble: https://supremo.onmicrosoft.com/fe58fefb-0925-4c8f-9b14-598a0d2f4552.

      3. Copy this URI for later use (referenced later as [DB_APP_ID_URI]).
   3. Add a scope.
      1. Under Scopes defined by this API, click Add a scope.
      2. In the panel that appears, enter the following information:
         • Scope name: sessions:scope:connect.
         • Who can consent: Select Admins and users.
         • Enter Access Oracle Database as the value in all remaining fields.
         • Click Add scope.
3. Define application-specific roles in Entra ID to centrally manage job functions (for example, manager or employee).
   Later, you can create data roles in the database and map them to these roles.
   1. On the OracleDB_Resource application page, under Manage, click App roles.
      The App roles page opens.
   2. Click Create app role to create the Manager role:
      • Display name: Enter MANAGER.
      • Allowed member types: Select Users/Groups.
      • Value: Enter MANAGER.
      • Description: Enter Full access to all records.
      • Click Apply.
   3. Click Create app role to create the Employee role:
      • Display name: Enter EMPLOYEE.
      • Allowed member types: Select Users/Groups.
      • Value: Enter EMPLOYEE.
      • Description: Enter Access to own records only.
      • Click Apply.

4.2.2 Register the Client Application

Register SQL*Plus by creating an application in Microsoft Entra ID, and authorize it to request access tokens for your database on behalf of signed-in users.

1. Create an application registration in Microsoft Entra ID to represent SQL*Plus.
   1. On the Microsoft Entra portal's Home page, click App registrations in the left navigation pane under Entra ID, and then click New registration.
   2. Perform the following tasks on the Register an application page:
      1. Enter SQLPlus_Client in the Name field.
      2. For Supported account types, select Single tenant only - Default Directory.
      3. Under Redirect URI, select Public client/native (mobile & desktop) from the drop-down field, and enter http://localhost.

         Note:

         This URI allows the browser to return the authentication token to SQL*Plus running on your local machine.
      4. Click Register.

      The application is successfully created for your client.
   3. From the application’s Overview page, copy and save the Application (client) ID (referenced later as [CLIENT_APP_ID]).
2. Grant permissions to the client application.
   You must explicitly authorize the client application (SQLPlus_Client) to access the database application (OracleDB_Resource). This permission allows SQL*Plus to request valid authentication tokens on behalf of the signed-in user.
   1. On the SQLPlus_Client application page, under Manage, click API permissions, and then click Add a permission.
   2. Perform the following tasks on the Request API permissions panel:
      1. Click APIs my organization uses, and then click OracleDB_Resource.
      2. Select Delegated permissions and check the box for sessions:scope:connect.
      3. Click Add permissions.

      The permission is successfully added and appears on the API permissions page.
   3. Click Grant admin consent for Default Directory (or your specific directory name) to authorize the permissions, and select Yes in the confirmation dialog box.