2. CMS App Registrations
CMS Service App Registration
Unless required due to internal policies, one shared service App Registration for all CMS instances per Active Directory/Tenant is sufficient.
A secret needs to be created and then provided to Forrit to be used in Service Delivery Hub.
Under the ‘API permissions’ tab the following permissions need to be added:
Permission | Type | Desc | Needs admin consent |
|---|---|---|---|
User.Read | Delegated | Sign in and read user profile | No |
Directory.Read.All | Application | Read directory data | Yes |
Under the ‘Expose an API’ tab a scope needs the be created in the following format and then provided to Forrit after creating a Service Delivery Hub instance:
{Audience URL/Application ID URI}/user_impersonation
Using the default Azure format for the 'Application ID URI, your scope would look like this:
api://00000000-0000-0000-0000-000000000000/user_impersonation
The CMS Service App Registration also needs at least “CDN Endpoint Contributor” permissions on the CMS Resource Group or directly on the CDN Profile resource.
CMS Client App Registration
Unless required due to internal policies, one shared client App Registration for all CMS instances per Active Directory/Tenant is sufficient.
Under the ‘Authentication’ tab, Redirect URI needs to be set for the CMS client/angular app URL - this will happen automatically if Service Delivery Hub service principal has Application.Write.All permissions.
Under the ‘API permissions’ tab the following permissions need to be added:
Permission | Type | Desc | Needs admin consent |
|---|---|---|---|
user_impersonation | Delegated | The CMS Service exposed API scope (created in the previous section) | No |
User.Read | Delegated | Sign in and read user profile | No |