# Enterprise Application

### About Enterprise Application Registration

An **Enterprise Application** in Azure Active Directory (Azure AD) is an app registered in your organization’s directory.

The **Secure Contacts App (SCA)** needs to be registered as an Enterprise Application to:

* **Authenticate users securely** via Azure AD.
* **Access organizational data** such as contacts, groups, and directory information.
* **Enable centralized management and compliance** of app permissions within your tenant.

Registering SCA ensures that administrators can control access and grant only the permissions necessary for the app to operate safely in the organization.

### How to Register the SCA Enterprise Application

There are **two ways** to register SCA as an Enterprise Application:

#### 1. Via the SCA Homepage

1. Go to the [Secure Contacts App homepage](https://docs.secure-contacts.com/quickstart-guide/ios-mam-steps-to-activate-sca-in-your-azure-tenant/step-1-register-enterprise-app#step1-registerenterpriseapp-enterpriseappregistrationfromthescahomepage).
2. In the **Admin-Consent** section, enter your **Azure AD tenant ID** and click **Add**.
3. Sign in with an account that has the **Global Administrator** role.
4. Grant **tenant-wide admin consent** to complete the registration.

#### 2. Manual Registration via URL

1. Construct the following URL, replacing `{tenant-id}` with your Azure AD tenant ID:

```
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=20429334-d869-476e-8a65-ea300a327985
```

2. Open the URL in your browser.
3. Sign in with an account that has the **Global Administrator** role.
4. Review and grant **tenant-wide admin consent**.

{% hint style="success" %}
Example:\
[https://login.microsoftonline.com/**XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX**/adminconsent?client\_id=20429334-d869-476e-8a65-ea300a327985](https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/adminconsent?client_id=20429334-d869-476e-8a65-ea300a327985)

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX = Replace this with **your own** Tenant-ID\
**20429334-d869-476e-8a65-ea300a327985** = Enterprise-App-ID of **Secure Contacts App**
{% endhint %}

{% hint style="danger" %}
The admin consent page may sometimes get stuck in a loop and not provide feedback. \
To verify the registration:

* Check if the Enterprise Application **"Secure Contacts App"** appears in your Azure AD.
* If you encounter any issues with registering SCA in Azure AD, **contact our support team** for assistance
  {% endhint %}

<div align="left"><figure><img src="https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FLLvTvNieqZVKB9ruR0Y6%2Fimage.png?alt=media&#x26;token=03f9c321-9aff-469b-a265-3a70387bf67d" alt="" width="218"><figcaption></figcaption></figure></div>

### Permissions for SCA Enterprise app <a href="#permissions-for-sca-enterprise-app" id="permissions-for-sca-enterprise-app"></a>

In this table you will find all mandatory permissions

<table><thead><tr><th>Graph-Value</th><th>Permission</th><th>Function in SCA</th><th data-hidden></th><th data-hidden></th><th data-hidden></th></tr></thead><tbody><tr><td>Contacts.Read</td><td>Read user contacts</td><td>Personal contacts (APC)</td><td>1</td><td> </td><td> </td></tr><tr><td>Contacts.Read.Shared</td><td>Read user and shared contacts</td><td>Shared Mailbox contacts (SMC)</td><td></td><td></td><td></td></tr><tr><td>Contacts.ReadWrite</td><td>Read and write user contact</td><td>Allows users to create, edit and delete their own personal contacts (APC)</td><td></td><td></td><td></td></tr><tr><td>Directory.Read.All</td><td>Read directory</td><td>List all AD user / contacts (AAD)</td><td>2</td><td> </td><td> </td></tr><tr><td>offline_access</td><td>Maintain access to data you have given it access to</td><td>Default-Requirement for Enterprise App</td><td>3</td><td> </td><td> </td></tr><tr><td>openid</td><td>Sign users in</td><td>Default-Requirement for Enterprise App</td><td>4</td><td> </td><td> </td></tr><tr><td><p>Presence.Read.All</p><p> </p></td><td>Read presence information of all users in your organization</td><td>Teams Status</td><td>6</td><td> </td><td> </td></tr><tr><td><p>User.Read.All</p><p> </p></td><td>View full user profile info</td><td>get UPN of all users and users profile photos (AAD)</td><td>9</td><td> </td><td> </td></tr></tbody></table>

| Dynamics CRM        | Permission                                       | Function in SCA                                             |
| ------------------- | ------------------------------------------------ | ----------------------------------------------------------- |
| user\_impersonation | Access Common Data Service as organization users | Contacts from Dynamic 365  (D365) and from Dataverse (DVRS) |

<table><thead><tr><th width="254.1424560546875">MS Mobile Application Management </th><th>Permission</th><th>Function in SCA</th></tr></thead><tbody><tr><td><a href="enterprise-application/understanding-the-devicemanagementmanagedapps.readwrite-permission">DeviceManagementManagedApps.ReadWrite</a></td><td>(Read and Write the User's App Management data / allow app <a href="enterprise-application/understanding-the-devicemanagementmanagedapps.readwrite-permission">access to the Intune app protection service</a>)</td><td>Allows SCA to interact with the Intune App Protection service: checking and applying protection policies, reporting compliance status, and enforcing conditional access.</td></tr></tbody></table>

{% hint style="success" %}
SCA permissions are all **Delegated** — the app acts only for the signed-in user.
{% endhint %}