### 1. Create an application registration in Microsoft Azure portal
a. Using an account linked to your organization, navigate to the [Microsoft Azure Portal](https://portal.azure.com).
b. Select **App registrations**, then **New registration** to register a new app.
c. Name your app registration and choose who can access your application.
d. Select `Web` as the **Redirect URI** type and enter the following:
```
https://your-datahub-domain.com/callback/oidc
```
If you are just testing locally, the following can be used: `http://localhost:9002/callback/oidc`.
Azure supports more than one redirect URI, so both can be configured at the same time from the **Authentication** tab once the registration is complete.
At this point, your app registration should look like the following:
Once registration is done, you will land on the app registration **Overview** tab. On the left-side navigation bar, click on **Authentication** under **Manage** and add extra redirect URIs if need be (if you want to support both local testing and Azure deployments).
On the left-side navigation bar, click on **Certificates & secrets** under **Manage**.
Select **Client secrets**, then **New client secret**. Type in a meaningful description for your secret and select an expiry. Click the **Add** button when you are done.
**IMPORTANT:** Copy the `value` of your newly create secret since Azure will never display its value afterwards.
On the left-side navigation bar, click on **API permissions** under **Manage**. DataHub requires the following four Microsoft Graph APIs:
1.`User.Read`*(should be already configured)*
2.`profile`
3.`email`
4.`openid`
Click on **Add a permission**, then from the **Microsoft APIs** tab select **Microsoft Graph**, then **Delegated permissions**. From the **OpenId permissions** category, select `email`, `openid`, `profile` and click **Add permissions**.
At this point, you should be looking at a screen like the following:
