App Registration

You need to set up an App Registration, so Schoolyear AVD can call APIs in your Azure tenant. This guide helps you set up this App Registration.

Some of the identifiers and secrets created in these steps are required later in the Quick-Start guide. Note them down somewhere secure or come back later to this chapter to copy or generate when you need them.

Create the App Registration

1. Navigate to the App Registration page in the Azure Portal: Entra ID > Manage > App registrations

2. Click “New Registration”

3. Name: Schoolyear AVD

4. Supported account types: Single tenant

5. Click “Register”

Redirect URLs

Set up the redirect URls for the newly created App Registration by navigating to Manage > Authentication.

Configure Web platform

1. Click “Add a platform”

2. Click “Web”

3. Enter one of the following URLs, depending on the Schoolyear environment you are trying to connect to

   Production (default)

   https://api.schoolyear.app/v2/sas/vdi-provider/avd/oidc-callback

   Beta

   https://beta.api.schoolyear.app/v2/sas/vdi-provider/avd/oidc-callback

4. Click “Configure”

Configure Native platform

1. Click “Add a platform”

2. Click “Mobile and desktop applications”

3. Configure this url

   https://login.microsoftonline.com/common/oauth2/nativeclient

4. Click “Configure”

Client Secret

Create a Client Secret for the newly created App Registration by navigating to Manage > Certificates & secrets > Client secrets > "New Client Secret".

• Description: Schoolyear AVD
• Expires: Default or whatever your internal policy requires.

Expiry date

Like all good things in life, Client Secrets in Azure expire. Make sure you have a process in place for rotating this secret before the expiration date, otherwise Schoolyear AVD will stop working.

Note down the secret’s value for later use. We will refer back to it later as The App Registration Client Secret.

API permissions

You need to grant a few permissions to this App Registration for Schoolyear AVD to function correctly. These permissions are generally quite permissive. Unfortunately, Entra ID does not provide a method of scoping these permissions.

Navigate to Manage > API permissions and add the following permissions one-by-one:

• Microsoft Graph > Delegated > User.Read (may already be added by default)
• Microsoft Graph > Application > Group.Create (may already be added by default)
• Microsoft Graph > Application > Group.ReadWrite.All (may already be added by default)
• Microsoft Graph > Application > GroupMember.ReadWrite.All (may already be added by default)

After you have added these permissions, click “Grant admin consent for Schoolyear”.

Service Principle Permissions

You must grant the App Registration permissions on the Subscription you are using for your Schoolyear AVD implementation. You do this by granting a role to the “Service Principle” that represents the newly created App Registration.

The Service Principle must have enough permissions to perform at least the following actions:

• Read & deploy Deployment Templates
• ReadWrite Resource Groups
• Grant students access to AVD deployments
• Deploy, read, update and delete any resource configured in the Deployment Templates

In practice, the Service Principle requires an Owner role in the Subscription.

To assign the Service Principle the Owner role, navigate to Subscriptions > <your-subscription> > Access Control (IAM) > Add > Add role assignment.

1. Under Role > Privileged administrator roles, click Owner.

2. Under Members, configure the following

   • Assign access to: User, group or service principal
   • Members: search for the name you gave to the App Registration (Schoolyear AVD)

3. Under Conditions, select Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended).

4. Click “Next” & “Review + assign”