Setting Up an App Registration for OSDU
This guide covers how to create and configure an app registration in Microsoft Entra ID to communicate with the OSDU platform (ADME).
1. Create an app registration
Register a new application in the Azure Portal, or reuse an existing one if your team already has one.
Tip
To create an app registration, you need the Application Developer role. Apply for it in AccessIT if you don't already have it.
See the Omnia documentation for general guidance on creating app registrations at Equinor.
2. Add the ADME API permission
Your app registration needs an API permission to communicate with ADME.
For delegated access (authorization code flow — App + User)
Use this if your app signs in as a user (e.g. a web app or CLI tool that prompts for login).
- Go to your app registration in the Azure Portal → API permissions
- Click Add a permission → APIs my organization uses
- Search for "Azure Data Manager for Energy"
- Select the one with client ID
bd0c9d90-89ad-4bb3-97bc-d787b9f69cdc - Choose Delegated permissions → select
access_as_user→ Add permissions
No admin consent needed
The access_as_user permission does not require admin consent. Users can consent themselves on first login.
If you previously had user_impersonation on the old per-instance resource (dffa82c7-...), you can remove it for dev and test. For production, keep the old permission until the migration is rolled out. See the Entra ID Migration Checklist for details.
For application access (client credentials flow — App only)
Use this if your app authenticates as itself without a user (e.g. a pipeline or background service).
Application access still uses the per-instance resource ID scopes. Entra ID group resolution is not yet supported for client credentials flows.
| Environment | Scope |
|---|---|
| Dev | 7daee810-3f78-40c4-84c2-7a199428de18/.default |
| Test | 5a1178c2-5867-4a34-8fb8-216164e30b5f/.default |
| Prod | 5a1178c2-5867-4a34-8fb8-216164e30b5f/.default |
Your app registration's service principal must also be added directly as a member of the required OSDU entitlement groups. Request access via ServiceNow:
3. Configure authentication
Add a redirect URI under Authentication in your app registration:
- For local development:
http://localhost:<port>(e.g.http://localhost:53100) - For web apps: your application's callback URL
If using client credentials flow, create a client secret or certificate under Certificates & secrets.
4. Request platform access
Once your app registration is set up, request the access level you need for each environment via ServiceNow:
Access is per environment
You need to submit a separate request for each environment (dev, test, prod).
Need help?
If you're unsure about any of these steps, contact the OSDU Platform Team: