When integrating with an identity provider such as Azure Active Directory (Azure AD), developers must obtain specific credentials and configuration values. These include the Client ID, Client Secret, Scope, and Authorization URL.
This document describes each parameter and provides step-by-step instructions for retrieving them.
1. Key Authentication Parameters
Client ID
The unique identifier assigned to your application (client) when you register it in Azure AD.
Used by APIM to identify the application requesting tokens.
Client Secret
A confidential key generated for your registered application.
Functions as the "password" for your app when exchanging tokens.
Scope
Defines the specific permissions or resources the client is requesting access to.
Typically in the format:
api://<application-id>/scope_name (custom API scopes)
or https://graph.microsoft.com/.default (Microsoft Graph default scopes).
Authorization URL
The endpoint where clients are redirected to authenticate and obtain authorization codes.
Standard format:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
2. Steps to Retrieve Credentials
Step 1 – Register the Application in Azure AD
Sign in to the Azure Portal (https://portal.azure.com).
Navigate to Azure Active Directory → App registrations.
Click New registration.
Provide:
Name: (e.g., "APIM Client App").
Supported account types: Choose based on organizational needs.
Redirect URI: Provide your APIM redirect URL (e.g., https://<your-apim-service>.developer.azure-api.net/signin).
Click Register.
📌 Result: Application is created with a Client ID and associated Tenant ID.
Step 2 – Get the Client ID
From the newly created App Registration page, copy the Application (client) ID.
This will be your Client ID.
Step 3 – Generate the Client Secret
Go to the Certificates & secrets section of your App Registration.
Under Client secrets, click New client secret.
Enter a description and select an expiration period.
Click Add.
Copy the generated Value immediately — this is your Client Secret.
⚠️ You won’t be able to see it again after leaving the page.
Step 4 – Define Scopes (If Applicable)
In the Expose an API section of your registered application:
Click Add a scope.
Define the scope name, who can consent, and admin consent display name.
Example scope:
api://<client-id>/user_impersonation
📌 If integrating with Microsoft APIs (e.g., Microsoft Graph), you can use predefined scopes such as https://graph.microsoft.com/.default.
Step 5 – Get the Authorization URL
Construct the authorization endpoint:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
Replace <tenant-id> with your Directory (tenant) ID (found in Azure AD → Overview).
3. Summary of Values
Parameter | Where to Find It |
Client ID | Azure AD → App registrations → Application (client) ID |
Client Secret | Azure AD → App registrations → Certificates & secrets → Client secret value |
Scope | Azure AD → App registrations → Expose an API → Defined scopes (or use Microsoft Graph default) |
Authorization URL |