Register with Azure Entra

In order to receive the identity token that is used to decrypt DKE, you must register with Azure Entra or Azure Portal. You must have an account in order to access one of these pages.

Note: These instructions were written in February 2024 using Azure Entra. If the Azure Entra website has changed, then some values may be different.

1. Navigate to https://entra.microsoft.com/.

2. Click on Applications > App registrations.

3. On the App registrations page, click New registration.

4. On the Register an application page, enter the name to use for the application.

5. Select the supported account type. You must select one of the following:

   • Accounts in this organizational directory only (MSFT only - Single tenant)

   • Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)

6. For the Redirect URI, select Web and enter the FQDN of the service.

7. Click Register.

8. On the App registration page for the application that you just registered, click Expose an API.

9. On the Expose an API page, for the Application ID URI, enter the FQDN and click Save.

10. Click Add a scope.

11. In the Add a scope window, enter user_impersonation for the Scope name, Admin consent display name, and Admin consent description.

12. Click Add scope to return to the Expose an API page.

13. Click Add a client application.

14. In the Add a client application window, enter the Client Id d3590ed6-52b3-4102-aeff-aad2292ab01c. This is the Microsoft Office client ID which enables Microsoft Office to obtain an access token for your key store.

15. Check the checkbox for the scope that you just added and click Add application.

16. Click Add a client application again and enter the Client ID c00e9d32-3c8d-4a7d-832b-029040e7db99, which is the Azure Information Protection unified labeling client ID.

17. Check the checkbox for the scope and click Add application.