Application.ReadWrite.OwnedBy
Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Application Permission
Id | 18a4783c-866b-4cc7-a460-3d5e5662c884 |
Display String | Manage apps that this app creates or owns |
Description | Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of. |
Resources
addIn
Property | Type | Description |
---|---|---|
ID | guid | |
properties | keyValue collection | |
type | string |
application
Property | Type | Description |
---|---|---|
addIns | addIn collection | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. |
api | apiApplication | Specifies settings for an application that implements a web API. |
appId | String | The unique identifier for the application that is assigned to an application by Microsoft Entra ID. Not nullable. Read-only. Alternate key. Supports $filter (eq ). |
applicationTemplateId | String | Unique identifier of the applicationTemplate. Supports $filter (eq , not , ne ). |
appRoles | appRole collection | The collection of roles defined for the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable. |
certification | certification | Specifies the certification status of the application. |
createdDateTime | DateTimeOffset | The date and time the application was registered. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Read-only. Supports $filter (eq , ne , not , ge , le , in , and eq on null values) and $orderby . |
deletedDateTime | DateTimeOffset | The date and time the application was deleted. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Read-only. |
description | String | Free text field to provide a description of the application object to end users. The maximum allowed size is 1024 characters. Supports $filter (eq , ne , not , ge , le , startsWith ) and $search . |
disabledByMicrosoftStatus | String | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled , and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Supports $filter (eq , ne , not ). |
displayName | String | The display name for the application. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values), $search , and $orderby . |
groupMembershipClaims | String | Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following valid string values: None , SecurityGroup (for security groups and Microsoft Entra roles), All (this gets all of the security groups, distribution groups, and Microsoft Entra directory roles that the signed-in user is a member of). |
id | String | Unique identifier for the application object. This property is referred to as Object ID in the Microsoft Entra admin center. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq , ne , not , in ). |
identifierUris | String collection | Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id> , or specify a more readable URI like https://contoso.com/api . For more information on valid identifierUris patterns and best practices, see Microsoft Entra application registration security best practices. Not nullable. Supports $filter (eq , ne , ge , le , startsWith ). |
info | informationalUrl | Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Microsoft Entra apps. Supports $filter (eq , ne , not , ge , le , and eq on null values). |
isDeviceOnlyAuthSupported | Boolean | Specifies whether this application supports device authentication without a user. The default is false . |
isFallbackPublicClient | Boolean | Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app. There are certain scenarios where Microsoft Entra ID cannot determine the client application type. For example, the ROPC flow where it is configured without specifying a redirect URI. In those cases Microsoft Entra ID interprets the application type based on the value of this property. |
keyCredentials | keyCredential collection | The collection of key credentials associated with the application. Not nullable. Supports $filter (eq , not , ge , le ). |
logo | Stream | The main logo for the application. Not nullable. |
notes | String | Notes relevant for the management of the application. |
oauth2RequiredPostResponse | Boolean | Specifies whether, as part of OAuth 2.0 token requests, Microsoft Entra ID allows POST requests, as opposed to GET requests. The default is false , which specifies that only GET requests are allowed. |
optionalClaims | optionalClaims | Application developers can configure optional claims in their Microsoft Entra applications to specify the claims that are sent to their application by the Microsoft security token service. For more information, see How to: Provide optional claims to your app. |
parentalControlSettings | parentalControlSettings | Specifies parental control settings for an application. |
passwordCredentials | passwordCredential collection | The collection of password credentials associated with the application. Not nullable. |
publicClient | publicClientApplication | Specifies settings for installed clients such as desktop or mobile devices. |
publisherDomain | String | The verified publisher domain for the application. Read-only. For more information, see How to: Configure an application's publisher domain. Supports $filter (eq , ne , ge , le , startsWith ). |
requestSignatureVerification | requestSignatureVerification | Specifies whether this application requires Microsoft Entra ID to verify the signed authentication requests. |
requiredResourceAccess | requiredResourceAccess collection | Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. No more than 50 resource services (APIs) can be configured. Beginning mid-October 2021, the total number of required permissions must not exceed 400. For more information, see Limits on requested permissions per app. Not nullable. Supports $filter (eq , not , ge , le ). |
samlMetadataUrl | String | The URL where the service exposes SAML metadata for federation. This property is valid only for single-tenant applications. Nullable. |
serviceManagementReference | String | References application or service contact information from a Service or Asset Management database. Nullable. |
servicePrincipalLockConfiguration | servicePrincipalLockConfiguration | Specifies whether sensitive properties of a multi-tenant application should be locked for editing after the application is provisioned in a tenant. Nullable. null by default. |
signInAudience | String | Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg , AzureADMultipleOrgs , AzureADandPersonalMicrosoftAccount (default), and PersonalMicrosoftAccount . See more in the table. The value of this object also limits the number of permissions an app can request. For more information, see Limits on requested permissions per app. The value for this property has implications on other app object properties. As a result, if you change this property, you may need to change other properties first. For more information, see Validation differences for signInAudience. Supports $filter (eq , ne , not ). |
spa | spaApplication | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens. |
tags | String collection | Custom strings that can be used to categorize and identify the application. Not nullable. Strings added here will also appear in the tags property of any associated service principals. Supports $filter (eq , not , ge , le , startsWith ) and $search . |
tokenEncryptionKeyId | String | Specifies the keyId of a public key from the keyCredentials collection. When configured, Microsoft Entra ID encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. |
verifiedPublisher | verifiedPublisher | Specifies the verified publisher of the application. For more information about how publisher verification helps support application security, trustworthiness, and compliance, see Publisher verification. |
web | webApplication | Specifies settings for a web application. |
appRole
Property | Type | Description |
---|---|---|
allowedMemberTypes | String collection | Specifies whether this app role can be assigned to users and groups (by setting to "User"] ), to other application's (by setting to ["Application"] , or both (by setting to ["User", "Application"] ). App roles supporting assignment to other applications' service principals are also known as [application permissions. The "Application" value is only supported for app roles defined on application entities. |
description | String | The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences. |
displayName | String | Display name for the permission that appears in the app role assignment and consent experiences. |
id | Guid | Unique role identifier inside the appRoles collection. When creating a new app role, a new GUID identifier must be provided. |
isEnabled | Boolean | When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed. |
origin | String | Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests. Read-only. |
value | String | Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. Must not exceed 120 characters in length. Allowed characters are : ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ ] ^ + _ ` { | } ~ , and characters in the ranges 0-9 , A-Z and a-z . Any other character, including the space character, aren't allowed. May not begin with . . |
claimsMappingPolicy
Property | Type | Description |
---|---|---|
definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See Properties of a claims-mapping policy definition for more details about the JSON schema for this property. Required. |
displayName | String | Display name for this policy. Required. |
id | String | Unique identifier for this policy. Read-only. |
isOrganizationDefault | Boolean | Ignore this property. The claims-mapping policy can only be applied to service principals and can't be set globally for the organization. |
customSecurityAttributeValue
directoryObject
Property | Type | Description |
---|---|---|
deletedDateTime | DateTimeOffset | Date and time when this object was deleted. Always null when the object hasn't been deleted. |
id | String | The unique identifier for the object. For example, 12345678-9abc-def0-1234-56789abcde . The value of the **i |
group
Property | Type | Description |
---|---|---|
allowExternalSenders | Boolean | Indicates if people external to the organization can send messages to the group. The default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
assignedLabels | assignedLabel collection | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. Returned only on $select . |
assignedLicenses | assignedLicense collection | The licenses that are assigned to the group. Returned only on $select . Supports $filter (eq ).Read-only. |
autoSubscribeNewMembers | Boolean | Indicates if new members added to the group will be auto-subscribed to receive email notifications. You can set this property in a PATCH request for the group; do not set it in the initial POST request that creates the group. Default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
classification | String | Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. Returned by default. Supports $filter (eq , ne , not , ge , le , startsWith ). |
createdDateTime | DateTimeOffset | Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Read-only. |
deletedDateTime | DateTimeOffset | For some Microsoft Entra objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null . If the object is restored, this property is updated to null . |
description | String | An optional description for the group. Returned by default. Supports $filter (eq , ne , not , ge , le , startsWith ) and $search . |
displayName | String | The display name for the group. This property is required when a group is created and cannot be cleared during updates. Maximum length is 256 characters. Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values), $search , and $orderby . |
expirationDateTime | DateTimeOffset | Timestamp of when the group is set to expire. It is null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Supports $filter (eq , ne , not , ge , le , in ). Read-only. |
groupTypes | String collection | Specifies the group type and its membership. If the collection contains Unified , the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership , the group has dynamic membership; otherwise, membership is static. Returned by default. Supports $filter (eq , not ). |
hasMembersWithLicenseErrors | Boolean | Indicates whether there are members in this group that have license errors from its group-based license assignment. This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true). See an example. Supports $filter (eq ). |
hideFromAddressLists | Boolean | True if the group is not displayed in certain parts of the Outlook UI: the Address Book, address lists for selecting message recipients, and the Browse Groups dialog for searching groups; otherwise, false. Default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
hideFromOutlookClients | Boolean | True if the group is not displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
id | String | The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq , ne , not , in ). |
isArchived | Boolean | When a group is associated with a team, this property determines whether the team is in read-only mode. To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs. |
isAssignableToRole | Boolean | Indicates whether this group can be assigned to a Microsoft Entra role. Optional. This property can only be set while creating the group and is immutable. If set to true , the securityEnabled property must also be set to true , visibility must be Hidden , and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership ). Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Microsoft Entra role assignments Using this feature requires a Microsoft Entra ID P1 license. Returned by default. Supports $filter (eq , ne , not ). |
isSubscribedByMail | Boolean | Indicates whether the signed-in user is subscribed to receive email conversations. The default value is true . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
licenseProcessingState | String | Indicates the status of the group license assignment to all group members. The default value is false . Read-only. Possible values: QueuedForProcessing , ProcessingInProgress , and ProcessingComplete .Returned only on $select . Read-only. |
String | The SMTP address for the group, for example, "[email protected]". Returned by default. Read-only. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values). |
|
mailEnabled | Boolean | Specifies whether the group is mail-enabled. Required. Returned by default. Supports $filter (eq , ne , not ). |
mailNickname | String | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE . Required. Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values). |
membershipRule | String | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership ). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq , ne , not , ge , le , startsWith ). |
membershipRuleProcessingState | String | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused . Returned by default. Supports $filter (eq , ne , not , in ). |
onPremisesLastSyncDateTime | DateTimeOffset | Indicates the last time at which the group was synced with the on-premises directory.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Read-only. Supports $filter (eq , ne , not , ge , le , in ). |
onPremisesProvisioningErrors | onPremisesProvisioningError collection | Errors when using Microsoft synchronization product during provisioning. Returned by default. Supports $filter (eq , not ). |
onPremisesSamAccountName | String | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith ). Read-only. |
onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud. Returned by default. Supports $filter (eq including on null values). Read-only. |
onPremisesSyncEnabled | Boolean | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). Returned by default. Read-only. Supports $filter (eq , ne , not , in , and eq on null values). |
preferredDataLocation | String | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling app must be granted the Directory.ReadWrite.All permission and the user be assigned one of the following Microsoft Entra roles:
For more information about this property, see OneDrive Online Multi-Geo. Nullable. Returned by default. |
preferredLanguage | String | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example, en-US . Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values). |
proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: [email protected]", "smtp: [email protected]"] . The any operator is required to filter expressions on multi-valued properties. Returned by default. Read-only. Not nullable. Supports $filter (eq , not , ge , le , startsWith , endsWith , /$count eq 0 , /$count ne 0 ). |
renewedDateTime | DateTimeOffset | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Supports $filter (eq , ne , not , ge , le , in ). Read-only. |
resourceBehaviorOptions | String collection | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost , HideGroupInOutlook , SubscribeNewGroupMembers , WelcomeEmailDisabled . For more information, see Set Microsoft 365 group behaviors and provisioning options. |
resourceProvisioningOptions | String collection | Specifies the group resources provisioned as part of Microsoft 365 group creation that are not normally part of default group creation. The possible value is Team . For more information, see Set Microsoft 365 group behaviors and provisioning options. |
securityEnabled | Boolean | Specifies whether the group is a security group. Required. Returned by default. Supports $filter (eq , ne , not , in ). |
securityIdentifier | String | Security identifier of the group, used in Windows scenarios. Returned by default. |
theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal , Purple , Green , Blue , Pink , Orange or Red . Returned by default. |
unseenCount | Int32 | Count of conversations that have received new posts since the signed-in user last visited the group. Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
visibility | String | Specifies the group join policy and group content visibility for groups. Possible values are: Private , Public , or HiddenMembership . HiddenMembership can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default, and the Microsoft 365 group is Public . Groups assignable to roles are always Private . To learn more, see group visibility options. Returned by default. Nullable. |
homeRealmDiscoveryPolicy
Property | Type | Description |
---|---|---|
definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See Properties of a home realm discovery policy definition for more details about the JSON schema for this property. Required. |
description | String | Description for this policy. |
displayName | String | Display name for this policy. Required. |
id | String | Unique identifier for this policy. Read-only. |
isOrganizationDefault | Boolean | If set to true , activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false . |
keyCredential
Property | Type | Description |
---|---|---|
customKeyIdentifier | Binary | A 40-character binary type that can be used to identify the credential. Optional. When not provided in the payload, defaults to the thumbprint of the certificate. |
displayName | String | Friendly name for the key. Optional. |
endDateTime | DateTimeOffset | The date and time at which the credential expires. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . |
key | Binary | The certificate's raw data in byte array converted to Base64 string. Returned only on $select for a single object, that is, GET applications/{applicationId}?$select=keyCredentials or GET servicePrincipals/{servicePrincipalId}?$select=keyCredentials ; otherwise, it is always null . From a .cer certificate, you can read the key using the Convert.ToBase64String() method. For more information, see Get the certificate key. |
keyId | Guid | The unique identifier (GUID) for the key. |
startDateTime | DateTimeOffset | The date and time at which the credential becomes valid.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . |
type | String | The type of key credential; for example, Symmetric , AsymmetricX509Cert . |
usage | String | A string that describes the purpose for which the key can be used; for example, Verify . |
passwordCredential
Property | Type | Description |
---|---|---|
customKeyIdentifier | Binary | Do not use. |
displayName | String | Friendly name for the password. Optional. |
endDateTime | DateTimeOffset | The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Optional. |
hint | String | Contains the first three characters of the password. Read-only. |
keyId | Guid | The unique identifier for the password. |
secretText | String | Read-only; Contains the strong passwords generated by Microsoft Entra ID that are 16-64 characters in length. The generated password value is only returned during the initial POST request to addPassword. There is no way to retrieve this password in the future. |
startDateTime | DateTimeOffset | The date and time at which the password becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Optional. |
passwordSingleSignOnCredentialSet
Property | Type | Description |
---|---|---|
credentials | credential collection | A list of credential objects that define the complete sign in flow. |
id | String | The ID of the user or group this credential set belongs to. |
remoteDesktopSecurityConfiguration
Property | Type | Description |
---|---|---|
id | String | Unique identifier for the RDS security configuration. Inherited from entity. |
isRemoteDesktopProtocolEnabled | Boolean | Determines if Microsoft Entra ID RDS authentication protocol for RDP is enabled. |
servicePrincipal
Property | Type | Description |
---|---|---|
accountEnabled | Boolean | true if the service principal account is enabled; otherwise, false . If set to false , then no users will be able to sign in to this app, even if they are assigned to it. Supports $filter (eq , ne , not , in ). |
addIns | addIn collection | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames | String collection | Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. Supports $filter (eq , not , ge , le , startsWith ). |
appDescription | String | The description exposed by the associated application. |
appDisplayName | String | The display name exposed by the associated application. |
appId | String | The unique identifier for the associated application (its appId property). Alternate key. Supports $filter (eq , ne , not , in , startsWith ). |
applicationTemplateId | String | Unique identifier of the applicationTemplate that the servicePrincipal was created from. Read-only. Supports $filter (eq , ne , NOT , startsWith ). |
appOwnerOrganizationId | Guid | Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq , ne , NOT , ge , le ). |
appRoleAssignmentRequired | Boolean | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false . Not nullable. Supports $filter (eq , ne , NOT ). |
appRoles | appRole collection | The roles exposed by the application which this service principal represents. For more information see the appRoles property definition on the application entity. Not nullable. |
customSecurityAttributes | customSecurityAttributeValue | An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. Returned only on $select . Supports $filter (eq , ne , not , startsWith ). Filter value is case sensitive. |
deletedDateTime | DateTimeOffset | The date and time the service principal was deleted. Read-only. |
description | String | Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps will display the application description in this field. The maximum allowed size is 1024 characters. Supports $filter (eq , ne , not , ge , le , startsWith ) and $search . |
disabledByMicrosoftStatus | String | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled , and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Supports $filter (eq , ne , not ). |
displayName | String | The display name for the service principal. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values), $search , and $orderby . |
homepage | String | Home page or landing page of the application. |
id | String | The unique identifier for the service principal. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq , ne , not , in ). |
info | informationalUrl | Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Microsoft Entra apps. Supports $filter (eq , ne , not , ge , le , and eq on null values). |
keyCredentials | keyCredential collection | The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq , not , ge , le ). |
loginUrl | String | Specifies the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. Microsoft Entra ID uses the URL to launch the application from Microsoft 365 or the Microsoft Entra My Apps. When blank, Microsoft Entra ID performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Microsoft Entra My Apps, or the Microsoft Entra SSO URL. |
logoutUrl | String | Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols. |
notes | String | Free text field to capture information about the service principal, typically used for operational purposes. Maximum allowed size is 1024 characters. |
notificationEmailAddresses | String collection | Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications. |
oauth2PermissionScopes | permissionScope collection | The delegated permissions exposed by the application. For more information see the oauth2PermissionScopes property on the application entity's api property. Not nullable. |
passwordCredentials | passwordCredential collection | The collection of password credentials associated with the application. Not nullable. |
preferredSingleSignOnMode | string | Specifies the single sign-on mode configured for this application. Microsoft Entra ID uses the preferred single sign-on mode to launch the application from Microsoft 365 or the My Apps portal. The supported values are password , saml , notSupported , and oidc . |
preferredTokenSigningKeyThumbprint | String | This property can be used on SAML applications (apps that have preferredSingleSignOnMode set to saml ) to control which certificate is used to sign the SAML responses. For applications that are not SAML, do not write or otherwise rely on this property. |
replyUrls | String collection | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. Not nullable. |
resourceSpecificApplicationPermissions | resourceSpecificPermission collection | The resource-specific application permissions exposed by this application. Currently, resource-specific permissions are only supported for Teams apps accessing to specific chats and teams using Microsoft Graph. Read-only. |
samlSingleSignOnSettings | samlSingleSignOnSettings | The collection for settings related to saml single sign-on. |
servicePrincipalNames | String collection | Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Microsoft Entra ID. For example,
The any operator is required for filter expressions on multi-valued properties. Not nullable. Supports $filter (eq , not , ge , le , startsWith ). |
servicePrincipalType | String | Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Microsoft Entra ID internally. The servicePrincipalType property can be set to three different values:
|
signInAudience | String | Specifies the Microsoft accounts that are supported for the current application. Read-only. Supported values are:
|
tags | String collection | Custom strings that can be used to categorize and identify the service principal. Not nullable. The value is the union of strings set here and on the associated application entity's tags property. Supports $filter (eq , not , ge , le , startsWith ). |
tokenEncryptionKeyId | String | Specifies the keyId of a public key from the keyCredentials collection. When configured, Microsoft Entra ID issues tokens for this application encrypted using the key specified by this property. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. |
verifiedPublisher | verifiedPublisher | Specifies the verified publisher of the application which this service principal represents. |
targetDeviceGroup
Property | Type | Description |
---|---|---|
displayName | String | Display name for the target device group. |
id | String | Object identifier of the group. Inherited from entity. |
tokenIssuancePolicy
Property | Type | Description |
---|---|---|
definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
description | String | Description for this policy. |
displayName | String | Display name for this policy. Required. |
id | String | Unique identifier for this policy. Read-only. |
isOrganizationDefault | Boolean | Ignore this property. The token-issuance policy can only be applied to service principals and can't be set globally for the organization. |
tokenLifetimePolicy
Property | Type | Description |
---|---|---|
definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
displayName | String | Display name for this policy. Required. |
id | String | Unique identifier for this policy. Read-only. |
isOrganizationDefault | Boolean | If set to true , activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false . |