> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Register a custom web app in Microsoft Entra ID

> Register a custom web application in Microsoft Entra ID for user authentication.

Users can sign in to the web app using their browser and the acquired token.

<a id="register-a-custom-web-app" />

## Register a custom web app

<Steps>
  <Step title="Sign in to the Azure portal">
    Sign in to the [Azure portal](https://portal.azure.com) as an admin.
  </Step>

  <Step title="Select a tenant">
    If you have access to multiple tenants, use the Directory + subscription filter in the top menu to select the tenant in which you want to register an application.
  </Step>

  <Step title="Select Microsoft Entra ID">
    Search for and select **Microsoft Entra ID**.
  </Step>

  <Step title="Navigate to New registrations">
    Under **Manage**, select **App registrations** > **New registrations**.
  </Step>

  <Step title="Select name and type">
    Specify the **name** and select an **account type**. Select the first option unless your organization's preferences specify otherwise.
  </Step>

  <Step title="Select redirect URI">
    Under **Redirect URI (optional)**, select **Web** and specify the **redirect URI**. Typically, this is the URL of your web app, or [localhost](#) for development. You can add more **redirect URIs** under **Manage** > **Authentication**.
  </Step>

  <Step title="Select Register">
    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/azure_reg_app_custom_web.png" alt="Register an application " width="80%" />
    </Frame>

    Under **Overview**, you can copy and make a note of the **Application (client) ID**. You need this value for authentication.
  </Step>
</Steps>

<a id="create-a-client-secret" />

## Create a client secret

<Steps>
  <Step title="Navigate to New client secret">
    Under **Manage**, select **Certificates & secrets** > **New client secret**.
  </Step>

  <Step title="Configure the client secret">
    Enter a description and how long the client secret will be valid. Then, select **Add**.
  </Step>

  <Step title="Copy the client secret">
    Copy and make a note of the client secret in the **Value** field.

    <Info>
      Make sure you copy this value now. This value will be hidden after you leave this page.
    </Info>

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/integrations/transformations/oidc_client_secret.png" alt="OIDC Client secret " width="80%" />
    </Frame>
  </Step>
</Steps>

<a id="configure-api-permissions" />

## Configure API permissions

<Steps>
  <Step title="Navigate to API permissions">
    Under **Manage**, select **API permissions**. The Microsoft Graph `User.Read` permissions should already be selected.
  </Step>

  <Step title="Select the Cognite API">
    Select **+ Add a permission**. In the side panel, open the **APIs my organization uses** tab, and select the Cognite API, for example `westeurope-1`.
  </Step>

  <Step title="Select application permissions">
    For **Delegated permissions**, select the required permissions for your application, for example `user_impersonation`. The delegated permissions filter the permissions a user has based on group memberships, but don't add any permissions.

    To use the [token inspection endpoint](/api-reference/concepts/20230101/tokens), select `IDENTITY`.

    Learn more about the available permissions [here](/cdf/access/concepts/access_token_scopes).
  </Step>

  <Step title="Add permissions">
    Select **Add permissions**. The API permissions should look similar to this:

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/azure_api_perms_user_impersionation.png" alt="API permissions " width="80%" />
    </Frame>
  </Step>

  <Step title="Grant admin consent">
    Select **Grant admin consent for...** and confirm that you want to make the new list of permissions active.
  </Step>
</Steps>
