$ ~/registry/skill/microsoft-plugin-skills-entra-app-registration

SKILL

entra-app-registration

指导完成 Microsoft Entra ID 应用注册、OAuth 配置与 MSAL 接入。

来源

GitHub

更新于

2026-06-07

// 安全评估低风险

仅提示词，不执行代码
开源可审计

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "entra-app-registration" 技能：
1. 下载 https://raw.githubusercontent.com/microsoft/GitHub-Copilot-for-Azure/main/plugin/skills/entra-app-registration/SKILL.md
2. 保存为 ~/.claude/skills/entra-app-registration/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 用法示例

创建应用注册

输入

请指导我在 Microsoft Entra ID 中创建一个新的应用注册，用于内部 Web 应用登录。请说明重定向 URI、支持的账户类型，以及创建后需要记录哪些关键信息。

预期产出

分步骤的应用注册流程，包括配置项说明和需要保存的客户端与租户信息。

配置 API 权限与同意

输入

我需要让应用调用 Microsoft Graph 读取用户基本信息。请告诉我该添加哪些 API 权限、委托权限和应用权限的区别，以及管理员同意应如何处理。

预期产出

清晰的权限配置建议，包含权限类型区别、推荐项和管理员同意说明。

生成 MSAL 控制台示例

输入

请给我一个使用 MSAL 的 C# 控制台应用示例，实现用户登录并获取访问令牌来调用 Microsoft Graph。请列出依赖包、关键配置项和示例代码结构。

预期产出

可参考的 MSAL 控制台示例方案，含依赖、配置说明和主要代码框架。

// 文档

Overview

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. App registrations allow applications to authenticate users and access Azure resources securely.

Key Concepts

Concept	Description
App Registration	Configuration that allows an app to use Microsoft identity platform
Application (Client) ID	Unique identifier for your application
Tenant ID	Unique identifier for your Azure AD tenant/directory
Client Secret	Password for the application (confidential clients only)
Redirect URI	URL where authentication responses are sent
API Permissions	Access scopes your app requests
Service Principal	Identity created in your tenant when you register an app

Application Types

Type	Use Case
Web Application	Server-side apps, APIs
Single Page App (SPA)	JavaScript/React/Angular apps
Mobile/Native App	Desktop, mobile apps
Daemon/Service	Background services, APIs

Core Workflow

Step 1: Register the Application

Create an app registration in the Azure portal or using Azure CLI.

Portal Method:

Navigate to Azure Portal → Microsoft Entra ID → App registrations
Click "New registration"
Provide name, supported account types, and redirect URI
Click "Register"

CLI Method: See references/cli-commands.md IaC Method: See references/BICEP-EXAMPLE.bicep

It's highly recommended to use the IaC to manage Entra app registration if you already use IaC in your project, need a scalable solution for managing lots of app registrations or need fine-grained audit history of the configuration changes.

Step 2: Configure Authentication

Set up authentication settings based on your application type.

Web Apps: Add redirect URIs, enable ID tokens if needed
SPAs: Add redirect URIs, enable implicit grant flow if necessary
Mobile/Desktop: Use http://localhost or custom URI scheme
Services: No redirect URI needed for client credentials flow

Step 3: Configure API Permissions

Grant your application permission to access Microsoft APIs or your own APIs.

Common Microsoft Graph Permissions:

User.Read - Read user profile
User.ReadWrite.All - Read and write all users
Directory.Read.All - Read directory data
Mail.Send - Send mail as a user

Details: See references/api-permissions.md

Step 4: Create Client Credentials (if needed)

For confidential client applications (web apps, services), create a client secret, certificate or federated identity credential.

Client Secret:

Navigate to "Certificates & secrets"
Create new client secret
Copy the value immediately (only shown once)
Store securely (Key Vault recommended)

Certificate: For production environments, use certificates instead of secrets for enhanced security. Upload certificate via "Certificates & secrets" section.

Federated Identity Credential: For dynamically authenticating the confidential client to Entra platform.