Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), Azure resource security (use azure-security).
Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration.
npx claudepluginhub microsoft/github-copilot-for-azureThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/BICEP-EXAMPLE.bicepreferences/api-permissions.mdreferences/auth-best-practices.mdreferences/cli-commands.mdreferences/console-app-example.mdreferences/first-app-registration.mdreferences/oauth-flows.mdreferences/sdk/azure-identity-dotnet.mdreferences/sdk/azure-identity-java.mdreferences/sdk/azure-identity-py.mdreferences/sdk/azure-identity-rust.mdreferences/sdk/azure-identity-ts.mdreferences/sdk/azure-keyvault-py.mdreferences/sdk/azure-keyvault-secrets-ts.mdreferences/sdk/microsoft-azure-webjobs-extensions-authentication-events-dotnet.mdreferences/troubleshooting.mdMicrosoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. App registrations allow applications to authenticate users and access Azure resources securely.
| Concept | Description |
|---|---|
| App Registration | Configuration that allows an app to use Microsoft identity platform |
| Application (Client) ID | Unique identifier for your application |
| Tenant ID | Unique identifier for your Azure AD tenant/directory |
| Client Secret | Password for the application (confidential clients only) |
| Redirect URI | URL where authentication responses are sent |
| API Permissions | Access scopes your app requests |
| Service Principal | Identity created in your tenant when you register an app |
| Type | Use Case |
|---|---|
| Web Application | Server-side apps, APIs |
| Single Page App (SPA) | JavaScript/React/Angular apps |
| Mobile/Native App | Desktop, mobile apps |
| Daemon/Service | Background services, APIs |
Create an app registration in the Azure portal or using Azure CLI.
Portal Method:
CLI Method: See references/cli-commands.md IaC Method: See references/BICEP-EXAMPLE.bicep
It's highly recommended to use the IaC to manage Entra app registration if you already use IaC in your project, need a scalable solution for managing lots of app registrations or need fine-grained audit history of the configuration changes.
Set up authentication settings based on your application type.
http://localhost or custom URI schemeGrant your application permission to access Microsoft APIs or your own APIs.
Common Microsoft Graph Permissions:
User.Read - Read user profileUser.ReadWrite.All - Read and write all usersDirectory.Read.All - Read directory dataMail.Send - Send mail as a userDetails: See references/api-permissions.md
For confidential client applications (web apps, services), create a client secret, certificate or federated identity credential.
Client Secret:
Certificate: For production environments, use certificates instead of secrets for enhanced security. Upload certificate via "Certificates & secrets" section.
Federated Identity Credential: For dynamically authenticating the confidential client to Entra platform.
Integrate the OAuth flow into your application code.
See:
Walk user through their first app registration step-by-step.
Required Information:
Script: See references/first-app-registration.md
Create a .NET/Python/Node.js console app that authenticates users.
Required Information:
Example: See references/console-app-example.md
Set up daemon/service authentication without user interaction.
Required Information:
Implementation: Use Client Credentials flow (see references/oauth-flows.md#client-credentials-flow)
| Command | Purpose |
|---|---|
az ad app create | Create new app registration |
az ad app list | List app registrations |
az ad app show | Show app details |
az ad app permission add | Add API permission |
az ad app credential reset | Generate new client secret |
az ad sp create | Create service principal |
Complete reference: See references/cli-commands.md
MSAL is the recommended library for integrating Microsoft identity platform.
Supported Languages:
Microsoft.Identity.Client@azure/msal-browser, @azure/msal-nodemsalExamples: See references/console-app-example.md
| Practice | Recommendation |
|---|---|
| Never hardcode secrets | Use environment variables, Azure Key Vault, or managed identity |
| Rotate secrets regularly | Set expiration, automate rotation |
| Use certificates over secrets | More secure for production |
| Least privilege permissions | Request only required API permissions |
| Enable MFA | Require multi-factor authentication for users |
| Use managed identity | For Azure-hosted apps, avoid secrets entirely |
| Validate tokens | Always validate issuer, audience, expiration |
| Use HTTPS only | All redirect URIs must use HTTPS (except localhost) |
| Monitor sign-ins | Use Entra ID sign-in logs for anomaly detection |
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.