AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > App Management > Manage App Profiles for Microsoft Tenants > Configure Custom Azure App Profiles > Create a Custom Azure App

Export to PDF

Create a Custom Azure App

To create a custom app, follow the steps below:

  1. Go to Microsoft Entra admin center (or Microsoft Azure portal).

  2. Navigate to Identity > Applications > App registrations > New registration (or Microsoft Entra ID > App registrations > New registration).

  3. On the Register an application page, enter your application’s registration information:

  4. Click Register to create the custom application.

  5. Click the created custom application and click API permissions.

  6. Click Add a permission to add permissions to the app.

    The permissions that you need to grant to the custom app vary with the different cloud services your tenant is using. Refer to the API Permissions Required by Custom Apps section to view the required permissions for your services.

    Note the following:

    • If you create a custom Azure app with delegated permissions, you also need to configure additional settings by referring to the below section: Additional Notes for Azure Apps with Delegated Permissions.

    • If you need to add permissions from Office 365 Exchange Online API, refer to Add Permissions of Office 365 Exchange Online API.

  7. Click Grant admin consent for [Tenant name] to grant admin consent. After you have successfully granted admin consent for the requested permissions, the Status will be Granted for [Tenant name].

    Granting admin consent for the requested permissions.

  8. The application uses certificate authentication. Complete the following steps to upload your organization’s public certificate (.cer or .crt file types are recommended):

    NOTE

    If your organization does not have any certificates, you can refer to Prepare a Certificate for the Custom Azure App to prepare a self-signed certificate.

    1. Locate your organization’s certificate and export the certificate as a .cer or .crt file.

    2. Go to Microsoft Entra admin center (or Microsoft Azure portal), select the application, and click Certificate & secrets.

    3. In the Certificates section, click Upload certificate.

    4. Select the .cer or .crt file and click Add.

    5. After the certificate file is successfully uploaded, it will be listed in the Certificates section.

Then, refer to the Consent to Custom Azure Apps section to create an app profile in the Custom mode. If necessary, you can Configure a Conditional Access Policy on Custom Apps in Azure for Best Practice.

Additional Notes for Azure Apps with Delegated Permissions

To create a custom Azure app with delegated permissions, you can refer to the instructions in the Create a Custom Azure App section above. Note that Redirect URI and ID tokens are required by a custom Azure app with delegated permissions, and you can refer to the following instructions to configure the settings:

  1. Go to Microsoft Entra admin center (or Microsoft Azure portal).

  2. Navigate to Identity > Applications > App registrations (or Microsoft Entra ID > App registrations), and then click the app that you want to configure.

  3. Click Authentication in the left pane.

  4. On the Authentication page, follow the instructions below based on your scenario:

    • If the Redirect URIs setting is not displayed on the Authentication page, refer to the steps below:

      1. Click Add a platform.

      2. In the Configure platforms right pane, click Web.

      3. In the Configure Web right pane, enter a URL in the Redirect URIs field based on the version of your AOS environment, select the ID tokens option, and click Configure.

        NOTE

        If the ID tokens option has been selected on the Authentication page, it will not be displayed in the Configure Web pane.

      4. Below are the URLs of different AOS environments:

        Configuring Redirect URIs and ID tokens settings.

    • If the Redirect URIs setting is displayed on the Authentication page, refer to the steps below:

      1. Click Add URI, and then enter a URL in the field below based on the version of your AOS environment.

      2. Below are the URLs of different AOS environments:

      3. Select the ID tokens option.

      4. Click Save.

Configuring Redirect URIs and ID tokens settings.

Add Permissions of Office 365 Exchange Online API

After you click Add a permission on the API permissions interface, follow the steps below to add Office 365 Exchange Online API permissions.

  1. Click the APIs my organization uses tab on the Request API permissions panel.

  2. Enter keywords (e.g. Office 365 Exchange Online) in the search box to search.

  3. Select Office 365 Exchange Online from the displayed drop-down list.

    Select Office 365 Exchange Online.

  4. Select required permissions to add to your app.

    Select required permissions to add to your app.

Configure a Best Practice Conditional Access Policy for Custom Apps in Azure

To ensure that custom apps in Azure are only accessible by the AvePoint Online Services production environment, follow the steps below to configure a conditional access policy.

  1. Log in to Microsoft Entra admin center (or Microsoft Azure portal) and navigate to Protection (or Microsoft Entra ID > Security) > Conditional Access > Named locations.

  2. Click IP ranges location.

  3. In the New location (IP ranges) right pane, complete the steps below:

    1. Name this location.

    2. Click + to add IP ranges based on the reserved IP addresses downloaded from AvePoint Online Services. For details on the reserved IP addresses, see Download a List of Reserved IP Addresses.

    3. Click Create.

      Configuring a new IP ranges location.

  4. Go to the Overview page and click Create new policy.

    Clicking Create new policy.

  5. Refer to the following instructions to configure a new policy:

    1. Enter a policy name.

    2. Click Users or workload identities, select Workload identities, choose Select service principals, and select your custom apps for AvePoint cloud services.

      NOTE

      The Workload identities license is required for the Users or workload identities option to appear.

      Configuring Users or workload identities.

    3. Click Conditions, click Locations, toggle Configure to Yes, choose the Selected locations option under the Exclude tab, and select the location created in the New location (IP ranges) step.

      Configuring Conditions to add the created IP ranges location.

    4. Click Grant and select Block access.

      Setting Grant to Block access.

    5. Toggle the Enable policy option to On.

      Setting the Enable policy option to On.

    6. Click Create.