7.2 Register the Application in Microsoft Entra ID

The application serves as both a confidential client (authenticating to Entra ID with a client secret) and a resource server that end users authenticate against.

Application roles defined on this registration flow into the user's JWT roles claim, which the Oracle AI Database reads to activate the corresponding data roles.

  1. Create a registration for your application.
    1. On the Microsoft Entra portal's Home page, click App registrations in the left navigation pane under Entra ID, and then click New registration.
    2. Perform the following tasks on the Register an application page:
      1. Enter a name for the registration in the Name field; for example, HCM APP.
      2. For Supported account types, select Single tenant only - Default Directory.
      3. Under Redirect URI, select Web from the drop-down field, and enter http://localhost:3000.
      4. Click Register.
      The application is successfully created.
    3. From the application’s Overview page, copy and save the application (client) ID.
      You'll use this value to configure your application properties.
  2. Set the application ID URI.
    This step makes the application a resource, allowing users and other applications to request tokens scoped to it.
    1. On the application’s Overview page, click Add an Application ID URI.
    2. Perform the following tasks on the Expose an API page:
      1. Click Add next to Application ID URI.
      2. In the panel that appears, accept the default value api://<your-app-id>, then click Save.
      3. Copy this URI for later use.
  3. Expose a delegated scope so that end users can request access tokens for the application.
    This scope ensures that the access token issued to the user includes their identity and application role assignments. Perform the following tasks on the Expose an API page:
    1. Under Scopes defined by this API, click Add a scope.
    2. In the panel that appears, enter the following information:
      • Scope name: Enter user_access.
      • Who can consent: Select Admins and users.
      • Enter Access HCM APP as the value in all remaining fields.
      • State: Leave Enabled selected.
      Click Add scope.
  4. Create a client secret.
    The application uses a client secret to authenticate to Entra ID when requesting database-scoped access tokens.
    1. On the HCM APP application page, under Manage, click Certificates & secrets.
      The Certificates & secrets page opens.
    2. Click New client secret and enter the following details:
      • Enter a description; for example, hcm-app-secret.
      • Set an expiry period according to your organization’s policy.
      Click Add.
    3. Copy and save the Value column immediately; it is displayed only once.
  5. Grant permissions to the application.
    The application needs permission to request tokens scoped to the database resource (OracleDB_Resource).
    1. On the HCM APP application page, under Manage, click API permissions, and then click Add a permission.
    2. Perform the following tasks on the Request API permissions panel:
      1. Click APIs my organization uses, and then click OracleDB_Resource.
      2. Select Delegated permissions and check the box for sessions:scope:connect.
      3. Click Add permissions.

      The permission is successfully added and appears on the API permissions page.

    3. Click Grant admin consent for Default Directory (or your specific directory name) to authorize the permission, and select Yes in the confirmation dialog box.
  6. Define application roles.
    Application roles control how user permissions flow into the JWT token. When a user is assigned an application role (for example, MANAGER), that value appears in the token’s roles claim. Oracle AI Database reads this claim and activates the matching data role.
    1. On the HCM APP application page, click App roles under Manage.
    2. On the App roles page, click Create app role, and enter the following details:
      • Display name: Enter a name for the role; for example, MANAGER.
      • Allowed member types: Select Users/Groups.
      • Value: Enter a value; for example, MANAGER.
      • Description: Enter a description for the role.
      Click Apply.

      Repeat this step to add as many roles as needed.

  7. Authorize the application as a client of the database.
    1. At the top of the page, locate the breadcrumb trail, click App registrations.
    2. On the App registrations page, click the database registration, OracleDB_Resource.
    3. Under Manage, click Expose an API.
    4. Under the Authorized client applications section, click Add a client application.
    5. In the panel that appears, enter the following details:
      1. Paste the application (client) ID of HCM APP.
      2. Select the database scope.
      Click Add application.

You have now configured the application as both a resource server and a client. It is equipped with a client secret, application roles, delegated permissions, and database pre-authorization.

See also:

Configure an application to expose a web API in the Microsoft identity platform documentation.