Skip to main content

Creating an App Registration in Microsoft Entra

Required Role: Microsoft Azure Admin (Global Admin preferred)

To connect your tenant to Active Directory, you must first create an app registration.

  1. Log in to Microsoft Entra as an admin user (Global Admin is recommended).
  2. Navigate to Entra ID > App registrations.
  3. Click + New registration.
  4. Enter the following details:
    • Name: Use a clear, identifiable name (e.g., Barista-[TenantName])
    • Supported account types: Select Accounts in this organizational directory only to map to a directory in Microsoft Azure.
      • If this option is unavailable, you are not registering the app within a directory.
  5. Click Register.

From the Overview page, copy and securely save the following values (you will need them to setup the integration with Barista):

  • Application (client) ID
  • Directory (tenant) ID

Grant Permissions in Microsoft Graph

Required Role: Global Administrator

If you do not have this role, coordinate with a Global Admin to grant consent. The integration will not work without admin consent.

  1. Open your Barista app registration.
  2. Navigate to API permissions in the left menu (or search in the top search bar)
  3. Click + Add a permission.
  4. Select Microsoft Graph.
  5. Choose Application permissions.
  6. Add the following permissions:
    • Directory.Read.All
    • Files.ReadWrite.All
    • Group.Read.All
    • Sites.ReadWrite.All
    • User.Read.All
    • User.ReadBasic.All
  7. Click Add permissions.

Add delegated permissions:

  1. Click + Add a permission again.
  2. Select Microsoft Graph > Delegated permissions.
  3. Add the following:
    • email
    • offline_access
    • openid
    • profile
  4. Click Add permissions.
  5. Click Grant admin consent for [tenant name]

Assign Password Administrator Role

Required Role: Microsoft Azure Admin

note

This section is only required if Barista will perform password resets.

  1. Go to Microsoft Entra ID (previously called Azure Active Directory).
  2. Click Roles and administrators.
  3. Search for “password”.
  4. Click “Password administrator”.
  5. Click Add assignments.
  6. On the left side menu, search for your app registration name.
  7. Select the app registration listed.
  8. Click Add.

Create a Client Secret

Required Role: Microsoft Azure Admin

  1. Open your Barista app registration.
  2. Navigate to Certificates & secrets.
  3. Select the Client secrets tab.
  4. Click + New client secret.
  5. Enter:
    • Description: (e.g., Barista-[TenantName]-Secret)
    • Expiration: Set as required
  6. Click Add.

Copy and securely store the Client Secret value.

Important:

  • The Client Secret is shown only once.
  • If lost, you must delete and recreate it.
  • Use the value under the VALUE column, not the Secret ID. Using the Secret ID will cause the integration to fail.

Identify Your Azure Group

The Azure group determines which users receive proactive notifications, including the Welcome message, ITSM ticket updates, announcements, and approvals.

Users outside of this group can still interact with Barista, but will not receive proactive notifications.

  1. Navigate to Entra ID > Groups > All groups.
  2. Search for and select the appropriate group.

Supported group types:

  • Security Group
  • Mail-enabled Security Group
  • Distribution Group
  • Microsoft 365 Group
  1. Open Properties.
  2. Copy and save the Object ID. This will be required to complete the integration.