> For the complete documentation index, see [llms.txt](https://docs.scepman.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.scepman.com/scepman-deployment/permissions/azure-app-registration.md).

# Azure App Registration

{% hint style="info" %}
Only relevant for [Split-Tenancy](/azure-configuration/split-tenancy.md) setups.
{% endhint %}

SCEPman needs to interact with your Azure Active Directory and Intune endpoints to provide the certificate and OCSP validation of users and devices. To provide the necessary permissions to SCEPman you need to create an App Registration within your tenant.

## Generate App Registration (get Application ID)

1. Login to [Azure Portal](https://portal.azure.com)
2. Navigate to **Azure Active Directory**
3. Click **App registrations**

![](/files/-MfH6y_XFUm45AwIZEyy)

4\. Click **New Registration** and enter a **name**, i.e. SCEPman. For supported account type choose **Accounts in this organizational directory only** and click register.

![](/files/-MfH7Ed37h2L137C6VLU)

5\. You may copy the **Application (client) ID** now. The ID is important and will be needed later by SCEPman deployment.

![](/files/-MfH7XZycUEjhAcSj35b)

Create a new environment variable in SCEPman app service with the name [AppConfig:AuthConfig:ApplicationId](/scepman-configuration/application-settings/dependencies-azure-services/azure-ad.md#appconfig-authconfig-applicationid) and paste the copied application ID as a value.

## Generate Secret (get Client Secret Value)

1\. Stay within **App registrations** and click on **Certificates & secrets**

![](/files/-MfH7o-eH7gfqR5pN6_c)

2\. Click **New client secret**, add a description, and choose the expiration. We recommend **24 months**, this helps to provide an ongoing service for two years. You can revoke a secret at any time. Click **Add**

![](/files/-MfHBtimIqsGBl90NUIa)

3\. **Copy the secret value** and copy it down in a secure place.

{% hint style="warning" %}
Please do not mix it up with the "Client Secret **ID**". We need the "Client Secret **Value**", here.
{% endhint %}

{% hint style="warning" %}
Copy the client secret value immediately. You will not be able to retrieve it after you leave this submenu.
{% endhint %}

![](/files/bPw2k8DDcgtki8yLBCA9)

4. Create the SCEPman setting [AppConfig:AuthConfig:ApplicationKey](/scepman-configuration/application-settings/dependencies-azure-services/azure-ad.md#appconfig-authconfig-applicationkey) with the client secret value.

## Configure Permissions

Stay within **App Registrations** and click on **API permissions**

1. **Remove** the default **User** **Read** permission.

![](/files/-M-9TVCAmrCJoJxQ-aJu)

2\. Click on **Add a permission** and choose **Microsoft Graph**. When chosen, select **Application permissions** and search for directory. Add **Directory.ReadAll** as permission.

![](/files/-MCkOEGZjGfZzetmMBlQ)

![](/files/-M-9UK8Cb-CtV_lQchYj)

3\. Now click on **Add a permission** and choose **Intune**. When chosen, select **Application permissions** and search for scep. Add **scep\_challenge\_provider** as a permission

![](/files/-M-9UvMNcGjQpTrjZCNi)

![](/files/-M-9UyM5IEFKZ9Tabzvp)

4. Search and add the following Graph permissions as well: `DeviceManagementConfiguration.Read.All` and `DeviceManagementManagedDevices.Read.All`
5. Finally click on **Grant admin** consent and **confirm** the consent for the given app registration.

<figure><img src="/files/ZuavHg1gUygqjOR7yXoG" alt=""><figcaption></figcaption></figure>

6. After successfully granting the permissions you should see green status for each permission.

<figure><img src="/files/hXfREQL5qfAIV1d2vLAb" alt=""><figcaption></figcaption></figure>

The app registration is done.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.scepman.com/scepman-deployment/permissions/azure-app-registration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.