Create a New Azure App Registration

tip

This guide should only be performed once per Azure Tenant.
The App Registration should be created in the same tenant where the Azure Subscriptions are located.

important

In order to allow Microsoft 365 License optimization, you must grant admin consent for the Directory.Read.All, the Agreement.Read.All, the AuditLog.Read.All and the Reports.Read.All permissions. (Steps 5 to 18 in the Azure Portal method)

This guide will walk you through the process of creating a new Azure App Registration in your Azure Tenant.

Prerequisites

In order to create a new Azure App Registration, you need the following prerequisites:

• An Active Azure Tenant.
• The following permissions Microsoft Entra ID Permissions:
  • microsoft.directory/applications/createAsOwner
  • microsoft.directory/oAuth2PermissionGrants/createAsOwner
  • microsoft.directory/servicePrincipals/createAsOwner
  • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin (the listed permissions are part of the Application Administrator role)
• If you have Conditional Access Policies enabled, you need to ensure that the App Registration can bypass the policies.
  (Please contact our support for more information)

Instructions

To create Chronom's App Registration, follow the steps below:

Azure Portal

1. Browse to the Application Registration Creation page in the Azure Portal.
   (Make sure you are logged in to the correct Azure Tenant)

   tip

   If the link does not work, you can navigate to the Entra ID service and click on the App registrations section inside Azure Portal,
   then click on the + New registration button.

2. Fill in the following details:

   • Name: Chronom Read-Only App Registration
   • Supported account types: Accounts in this organizational directory only (Microsoft only - Single tenant)
   • Redirect URI:
     • Platform: web
     • URI: https://app.chronom.ai
   • Click on the Register button.

   

3. Once the App Registration is created, Take note of the following details:

   • Application (client) ID
   • Directory (tenant) ID

   

   note

   After the initial creation, an enterprise application is created automatically. To configure API permissions and client secrets, you need to navigate to the App Registration. You can find it by going to Entra ID → App registrations → Chronom Read-Only App Registration, or by staying on the current page after registration.

4. Navigate to the API permissions section under the Manage on the left-hand side menu.
   (If you already have the User.Read permission, you can skip to step 9.)

   

5. Click on the + Add a permission button and select Microsoft Graph from the list of APIs.

   

6. Select Delegated permissions and search for User.Read in the search bar.

   

7. Under the User category, select the User.Read permission and click on the Add permissions button.

   

8. Click on the + Add a permission button and select Microsoft Graph from the list of APIs.

   

9. Select Application permissions and search for Directory.Read.All in the search bar.

   

10. Under the Directory category, select the Directory.Read.All permission and click on the Add permissions button.

    

11. Click on the + Add a permission button and select Microsoft Graph from the list of APIs.

    

12. Select Application permissions and search for Agreement.Read.All in the search bar.

13. Under the Policy category, select the Agreement.Read.All permission and click on the Add permissions button.

14. Click on the + Add a permission button and select Microsoft Graph from the list of APIs.

    

15. Select Application permissions and search for AuditLog.Read.All in the search bar.

16. Under the Audit Logs category, select the AuditLog.Read.All permission and click on the Add permissions button.

    

17. Click on the + Add a permission button and select Microsoft Graph from the list of APIs.

    

18. Select Application permissions and search for Reports.Read.All in the search bar.

19. Under the Reports category, select the Reports.Read.All permission and click on the Add permissions button.

20. Click on the Grant admin consent for <Your Tenant> button to grant the permissions and confirm by clicking Yes.

    

21. Navigate to the Certificates & secrets section under the Manage on the left-hand side menu.

    

22. Click on the + New client secret button under the Client secrets tab and fill in the following details:

• Description: Chronom Read-Only Secret
• Expires: 730 days (24 months)
• Click on the Add button.

23. Once the secret is created, take note of the Value as it will be used to authenticate the App Registration in Chronom.

danger

Handle with Extreme Care!
Client Secret is considered a highly sensitive credential.
Make sure to store it in a secure location and only share it via Chronom's Integrations Page.
Chronom will never ask you for your Client Secret via email or any other communication channel.
Do not share your Client Secret with anyone else.

note

The Client Secret is only displayed once after creation.

24. On a new tab, navigate to Chronom's Integrations Page and click on the + Add a new Tenant button.

25. Fill in the Details and click on the Save button:

• Tenant Name: The name of the Azure Tenant where the App Registration was created.
• Tenant ID: The Directory (tenant) ID of the App Registration.
• Application ID: The Application (client) ID of the App Registration.
• Client Secret: The Value of the Client Secret created in the previous step.

Azure CLI (bash)

note

All steps below should be executed in the same bash session.
It is recommended to copy and paste the commands one by one to avoid any mistakes.

The steps below assume you have Azure CLI installed and configured with the necessary permissions.
If you haven't installed Azure CLI yet, you can follow the instructions here.

1. If not already installed, install jq by following the instructions here.

2. Authenticate Azure CLI with the Tenant where your subscriptions are by running the following command:

   az login

3. Create the App Registration by running the following command:

   appRegistration=$(az ad app create --display-name "Chronom Read-Only App Registration" \
                               --sign-in-audience "AzureADMyOrg" \
                               --web-redirect-uris "https://app.chronom.ai")
   clientId=$(echo $appRegistration | jq -r '.appId')
   tenantId=$(az account show --query tenantId -o tsv)
   echo "Application (client) ID: $clientId"
   echo "Directory (tenant) ID: $tenantId"

4. Grant User.Read API Permissions to the App Registration by running the following command:

   az ad app permission add --id "$clientId" \
                            --api 00000003-0000-0000-c000-000000000000 \
                            --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
   az ad sp create --id $clientId
   az ad app permission grant --id $clientId --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

5. Grant Directory.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id "$clientId" \
                             --api 00000003-0000-0000-c000-000000000000 \
                             --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
   az ad app permission admin-consent --id $clientId

6. Grant Agreement.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id "$clientId" \
                             --api 00000003-0000-0000-c000-000000000000 \
                             --api-permissions 2f3e6f8c-093b-4c57-a58b-ba5ce494a169=Role
   az ad app permission admin-consent --id $clientId

7. Grant AuditLog.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id "$clientId" \
                             --api 00000003-0000-0000-c000-000000000000 \
                             --api-permissions b0afded3-3588-46d8-8b3d-9842eff778da=Role
   az ad app permission admin-consent --id $clientId

8. Grant Reports.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id "$clientId" \
                             --api 00000003-0000-0000-c000-000000000000 \
                             --api-permissions 230c1aed-a721-4c5d-9cb4-a90514e508ef=Role
   az ad app permission admin-consent --id $clientId

9. Create a new client secret by running the following command:

   danger

   Handle with Extreme Care!
   Client Secret is considered a highly sensitive credential.
   Make sure to store it in a secure location and only share it via Chronom's Integrations Page.
   Chronom will never ask you for your Client Secret via email or any other communication channel.
   Do not share your Client Secret with anyone else.

   clientSecret=$(az ad app credential reset --id "$clientId" \
                                        --display-name "Chronom Read-Only Secret" \
                                        --years 2)
   clientSecretValue=$(echo $clientSecret | jq -r '.password')
   echo "Client Secret Value: $clientSecretValue"

10. Navigate to Chronom's Integrations Page and click on the + Add a new Tenant button.

    

11. Fill in the Details and click on the Save button:

    • Tenant Name: The name of the Azure Tenant where the App Registration was created.
    • Tenant ID: The Directory (tenant) ID of the App Registration.
    • Application ID: The Application (client) ID of the App Registration.
    • Client Secret: The Value of the Client Secret created in the previous step.

    

The complete Bash script

#!/bin/bash

# Authenticate Azure CLI
az login

# Create the App Registration
appRegistration=$(az ad app create --display-name "Chronom Read-Only App Registration" \
                                --sign-in-audience "AzureADMyOrg" \
                                --web-redirect-uris "https://app.chronom.ai")
clientId=$(echo $appRegistration | jq -r '.appId')
tenantId=$(az account show --query tenantId -o tsv)

# Grant User.Read API Permissions
az ad app permission add --id "$clientId" \
                         --api 00000003-0000-0000-c000-000000000000 \
                         --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
az ad sp create --id $clientId
az ad app permission grant --id $clientId --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

# Grant Directory.Read.All API Permissions
  az ad app permission add --id "$clientId" \
                          --api 00000003-0000-0000-c000-000000000000 \
                          --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
  az ad app permission admin-consent --id $clientId

# Grant Agreement.Read.All API Permissions
  az ad app permission add --id "$clientId" \
                          --api 00000003-0000-0000-c000-000000000000 \
                          --api-permissions 2f3e6f8c-093b-4c57-a58b-ba5ce494a169=Role
  az ad app permission admin-consent --id $clientId

# Grant AuditLog.Read.All API Permissions
  az ad app permission add --id "$clientId" \
                          --api 00000003-0000-0000-c000-000000000000 \
                          --api-permissions b0afded3-3588-46d8-8b3d-9842eff778da=Role
  az ad app permission admin-consent --id $clientId

# Grant Reports.Read.All API Permissions
  az ad app permission add --id "$clientId" \
                          --api 00000003-0000-0000-c000-000000000000 \
                          --api-permissions 230c1aed-a721-4c5d-9cb4-a90514e508ef=Role
  az ad app permission admin-consent --id $clientId

# Create a new client secret
clientSecret=$(az ad app credential reset --id "$clientId" \
                                        --display-name "Chronom Read-Only Secret" \
                                        --years 2)
clientSecretValue=$(echo $clientSecret | jq -r '.password')

# Output the App Registration details
echo
echo "Application (client) ID: $clientId"
echo "Directory (tenant) ID: $tenantId"
echo "Client Secret Value: $clientSecretValue"

Azure CLI (PowerShell)

note

All steps below should be executed in the same PowerShell session.
It is recommended to copy and paste the commands one by one to avoid any mistakes.

The steps below assume you have Azure CLI installed and configured with the necessary permissions.
If you haven't installed Azure CLI yet, you can follow the instructions here.

1. Authenticate Azure CLI with the Tenant where your subscriptions are by running the following command:

   az login

2. Create the App Registration by running the following command:

   $appRegistration = az ad app create --display-name "Chronom Read-Only App Registration" `
                                  --sign-in-audience "AzureADMyOrg" `
                                  --web-redirect-uris "https://app.chronom.ai" | ConvertFrom-Json
   $clientId = $appRegistration.appId
   $tenantId = (az account show --query tenantId -o tsv).Trim()
   Write-Host "Application (client) ID: $clientId"
   Write-Host "Directory (tenant) ID: $tenantId"

3. Grant User.Read API Permissions to the App Registration by running the following command:

   az ad app permission add --id $clientId `
                            --api 00000003-0000-0000-c000-000000000000 `
                            --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
   az ad sp create --id $clientId
   az ad app permission grant --id $clientId --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

4. Grant Directory.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id $clientId `
                            --api 00000003-0000-0000-c000-000000000000 `
                            --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
   az ad app permission admin-consent --id $clientId

5. Grant Agreement.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id $clientId `
                             --api 00000003-0000-0000-c000-000000000000 `
                             --api-permissions 2f3e6f8c-093b-4c57-a58b-ba5ce494a169=Role
   az ad app permission admin-consent --id $clientId

6. Grant AuditLog.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id $clientId `
                             --api 00000003-0000-0000-c000-000000000000 `
                             --api-permissions b0afded3-3588-46d8-8b3d-9842eff778da=Role
   az ad app permission admin-consent --id $clientId

7. Grant Reports.Read.All API Permissions to the App Registration with Admin Consent by running the following command:

   az ad app permission add --id $clientId `
                             --api 00000003-0000-0000-c000-000000000000 `
                             --api-permissions 230c1aed-a721-4c5d-9cb4-a90514e508ef=Role
   az ad app permission admin-consent --id $clientId

8. Create a new client secret by running the following command:

   danger

   Handle with Extreme Care!
   Client Secret is considered a highly sensitive credential.
   Make sure to store it in a secure location and only share it via Chronom's Integrations Page.
   Chronom will never ask you for your Client Secret via email or any other communication channel.
   Do not share your Client Secret with anyone else.

   $clientSecret = az ad app credential reset --id $clientId `
                                         --display-name "Chronom Read-Only Secret" `
                                         --years 2 | ConvertFrom-Json
   $clientSecretValue = $clientSecret.password
    Write-Host "Client Secret Value: $clientSecretValue"

9. Navigate to Chronom's Integrations Page and click on the + Add a new Tenant button.

   

10. Fill in the Details and click on the Save button:

    • Tenant Name: The name of the Azure Tenant where the App Registration was created.
    • Tenant ID: The Directory (tenant) ID of the App Registration.
    • Application ID: The Application (client) ID of the App Registration.
    • Client Secret: The Value of the Client Secret created in the previous step.

    

The complete PowerShell script

# Authenticate Azure CLI
az login

# Create the App Registration
$appRegistration = az ad app create --display-name "Chronom Read-Only App Registration" `
                                --sign-in-audience "AzureADMyOrg" `
                                --web-redirect-uris "https://app.chronom.ai" | ConvertFrom-Json
$clientId = $appRegistration.appId
$tenantId = (az account show --query tenantId -o tsv).Trim()

# Grant User.Read API Permissions
az ad app permission add --id $clientId `
                         --api 00000003-0000-0000-c000-000000000000 `
                         --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
az ad sp create --id $clientId
az ad app permission grant --id $clientId --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

# Grant Directory.Read.All API Permissions
az ad app permission add --id $clientId `
                        --api 00000003-0000-0000-c000-000000000000 `
                        --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
az ad app permission admin-consent --id $clientId

# Grant Agreement.Read.All API Permissions
az ad app permission add --id $clientId `
                        --api 00000003-0000-0000-c000-000000000000 `
                        --api-permissions 2f3e6f8c-093b-4c57-a58b-ba5ce494a169=Role
az ad app permission admin-consent --id $clientId

# Grant AuditLog.Read.All API Permissions
az ad app permission add --id $clientId `
                        --api 00000003-0000-0000-c000-000000000000 `
                        --api-permissions b0afded3-3588-46d8-8b3d-9842eff778da=Role
az ad app permission admin-consent --id $clientId

# Grant Reports.Read.All API Permissions
az ad app permission add --id $clientId `
                        --api 00000003-0000-0000-c000-000000000000 `
                        --api-permissions 230c1aed-a721-4c5d-9cb4-a90514e508ef=Role
az ad app permission admin-consent --id $clientId

# Create a new client secret
$clientSecret = az ad app credential reset --id $clientId `
                                       --display-name "Chronom Read-Only Secret" `
                                       --years 2 | ConvertFrom-Json
$clientSecretValue = $clientSecret.password

# Output the App Registration details
write-host
Write-Host "Application (client) ID: $clientId"
Write-Host "Directory (tenant) ID: $tenantId"
Write-Host "Client Secret Value: $clientSecretValue"

note

After adding your Azure Tenant and saving the details, you are ready to proceed to the next stage: connecting your Management Group(s) or Subscription(s) to Chronom.

tip

Continue to the Add Subscription guide to complete the integration process.

tip

Continue to the Add Management Group guide to complete the integration process.