After that the actual MPN ID comes from the MPN, Microsoft Partner Network.
To get it you'll need to go to the [Microsoft Partner Center](https://partner.microsoft.com/) and register your organization.
You'll get verified after a week or two and then able to find this MPN ID under Account settings > Organization profile > Identifiers in the [Microsoft Partner Center](https://partner.microsoft.com/).
If you ever need to do this then [this](https://docs.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification) may be very useful.
## Certificates & secrets
After that go to "Certificates & secrets".
Microsoft always recommends using certificates for getting access codes.
The client secrets will have both the secret and an id, both are needed for authorization.
When you create these you'll need to store them safely and put them wherever the app gets them from.
## API permissions
And the last thing we need to configure in Azure are the API permissions for the app.
When adding a permission for the app you'll first need to choose what API you need access to.
And then what permissions that are needed for that API.
For apps that integrate with Microsoft services the "Microsoft Graph" API is likely where you'll find most needed permissions.
There is also the difference of "Application" and "Delegated" permissions.
The Application permissions is for the app itself and need to be granted by the owner of the app.
Whereas Delegated permissions are the ones that add stuff to the consent form, these lets the app do API requests on behalf of the end user and need to be granted by the end user or through admin consent.
You'll need a "service principal" for the app in your tenant to authenticate with it.
This will get created on first login if it's not done already.
Automatic creation happens when you get that consent thing after logging in telling the end user what permissions the app requires.
If it's a tenant admin that's logging in that person may click the check for granting the permissions "On behalf of Organization, this is "admin consent" and makes it so individual users in that tenant don't need to consent when logging in.
Small and simple powershell script for adding the "service principal" to a tenant;