Skip to content
/ lab-10-interactive-identity-build Public

Part of my AI collaborative lab series for Microsoft Identity and Access Administration skill development and expertise pathway.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Compcode1/lab-10-interactive-identity-build

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 

Repository files navigation

Lab 10 — Establishing an Interactive Identity Substrate in Microsoft Entra ID

Purpose (Corrected and Authoritative)

The purpose of this lab is to intentionally construct and understand the minimum tenant infrastructure required to support real interactive user sign-in flows, so that future labs can examine:

  • Delegated permission consent behavior
  • User-issued access tokens
  • Token claims and scopes
  • Enterprise Application visibility and assignment
  • Real sign-in logs and enforcement paths
  • Conditional Access and authorization mechanics

This lab exists to enable all subsequent identity labs by creating a stable, inspectable, interactive identity surface inside the tenant.

No application code is required because Microsoft Entra ID governs identity, not application execution.

SimplifyDeep — Core Principle

Microsoft Entra ID does not manage applications.

Microsoft Entra ID manages identity contracts that applications may use.

This lab builds and validates an interactive identity contract:

  • a user can authenticate,
  • a token can be issued,
  • permissions can be evaluated,
  • and enforcement can occur — even when no application code exists.

What We Actually Built (System Reality)

By the end of Lab 10, the tenant now contains:

  1. An Application Registration

    • Defines who the application is (identity paperwork)
    • Declares redirect behavior for interactive sign-in
    • Requests baseline delegated permissions

  2. A Corresponding Enterprise Application (Service Principal)

    • Represents the tenant-local instance of that identity
    • Acts as the enforcement and assignment boundary
    • Is what users are actually assigned to

3. Interactive Sign-In Contract (Foundational Concept)

An interactive sign-in contract defines whether and how a human user is allowed to authenticate interactively to an application using Microsoft Entra ID.

This contract is established entirely through Authentication configuration on the application registration.
No application code is required for the contract to exist.

A. Platform Declaration (SPA)

SPA stands for Single-Page Application.

Declaring an SPA platform tells Microsoft Entra ID:

“This application will authenticate users directly from a browser-based client using OAuth 2.0 / OpenID Connect.”

Key implications:

  • The client is browser-based
  • Tokens are requested directly by the client
  • No backend server is required to complete authentication
  • The application is eligible for interactive OAuth flows

This declaration is about client behavior, not about whether an app actually exists.

B. Redirect URI (Security Boundary)

The redirect URI defines:

“Where Microsoft Entra ID is allowed to send the user after successful authentication.”

Important characteristics:

  • Must match exactly
  • Is a hard security boundary
  • Prevents tokens or authorization codes from being sent to untrusted locations

In this lab:

  • A localhost redirect URI was used
  • This simulates a browser receiving authentication responses
  • The presence of the URI enables interactive sign-in, even without app code

Without a redirect URI:

  • Interactive authentication is blocked
  • Users cannot complete sign-in
  • Tokens cannot be issued

C. OAuth Flow Enablement

By configuring an SPA platform, Microsoft Entra ID enables:

  • Authorization Code Flow with PKCE (Proof Key for Code Exchange)
    • The modern, secure OAuth flow for browser applications
    • Uses short-lived authorization codes
    • Prevents interception and replay attacks

This tells Entra ID:

“This application is allowed to participate in interactive OAuth authorization flows.”

Without OAuth flow enablement:

  • The app may exist
  • Users may be assigned
  • Permissions may be defined
  • But no interactive sign-in can occur

Why This Step Is Critical

Before this configuration:

  • You had an application identity (App Registration)
  • You had a tenant-local instance (Enterprise Application)
  • You had permissions and assignments

But you did not yet have permission for users to authenticate interactively.

This step converts the application from:

“An identity object with metadata”
into
“A valid OAuth client capable of real user sign-in”

SimplifyDeep Rule

No redirect URI and no OAuth flow means no interactive sign-in — regardless of permissions or assignments.

ConnectionDeep (Why This Enables Future Labs)

With the interactive sign-in contract in place, the tenant can now:

  • Perform real user sign-ins
  • Generate meaningful sign-in logs
  • Enforce Conditional Access
  • Issue delegated tokens with user context

This is why Lab 10 was required before moving forward.

  1. Explicit User Assignment

    • User 4 assigned to the Enterprise Application
    • Visibility enabled so the app appears in MyApps
    • Confirms the difference between:
      • “app exists”
      • “user can see and launch app”

  2. User-Facing Evidence of Configuration

    • Application appears in User 4’s MyApps portal
    • Launch attempt fails (expected — no app code)
    • Identity path succeeds (this is the point)

ConnectionDeep — Why This Matters

Before this lab:

  • You could configure permissions abstractly
  • You could define APIs and requests
  • You could reason about tokens theoretically

But you could not:

  • Observe real interactive sign-in behavior
  • Validate user assignment visibility
  • See how delegated permissions become real
  • Inspect identity outcomes from a user’s perspective

After this lab:

  • The tenant can issue real interactive user tokens
  • Consent paths are now observable
  • User-based authorization labs are unblocked
  • Identity behavior can be tested without guesswork

This lab converts Entra ID from a static configuration exercise into a living identity system.

Key Technical Clarifications Learned

1. App Registration vs Enterprise Application (Again, But Correctly)

  • App Registration = global identity definition
  • Enterprise Application = tenant enforcement object
  • Users are assigned only to Enterprise Applications

2. Visibility Is Not Automatic

  • Assignment alone does not guarantee MyApps visibility
  • “Visible to users” must be explicitly enabled
  • This is why User 4 initially saw nothing

3. Redirect URIs Are Identity Plumbing

  • Redirect URIs do not require application code
  • They define where Entra ID is allowed to return tokens
  • Without them, interactive sign-in cannot complete

4. Launch Failure Is Expected and Correct

  • The app fails to launch because no software exists
  • The identity system worked correctly
  • This confirms separation of identity from application runtime

Why This Lab Is Foundational

This lab is the keystone for everything that follows:

  • Delegated vs application permissions
  • Consent prompts and storage
  • Token inspection
  • Conditional Access evaluation
  • Graph access behavior
  • Sign-in and audit logs

Without Lab 10, all of those topics remain abstract.

With Lab 10, they become observable, testable, and falsifiable.

Final Takeaway

Lab 10 was about building capability, not proving trivia.

You now own:

  • an interactive identity surface,
  • a user-visible enforcement boundary,
  • and a tenant ready for real identity experimentation.

Only now does it make sense to proceed to Lab 11.

About

Part of my AI collaborative lab series for Microsoft Identity and Access Administration skill development and expertise pathway.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published