Service Principals (Enterprise Applications)
Service Principals (Enterprise Applications)
The lists below include all supported Enterprise application attributes that can be restored by On Demand Recovery.
General
| accountEnabled |
True if the service principal account is enabled; otherwise, False. |
| alternativeNames |
Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. |
| appId |
The unique identifier for the associated application (its appId property). |
| applicationProxy |
|
|
applicationTemplateId (Gallery App only) |
Unique identifier of the applicationTemplate that the servicePrincipal was created from. |
| appRoleAssignedTo |
App role assignments for this app or service, granted to users, groups, and other service principals. |
| appRoleAssignmentRequired |
Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. |
| appRoleAssignments |
App role assignment for another app or service, granted to this service principal. |
| appRoles |
The roles exposed by the application which this service principal represents. |
| displayName |
The display name of the service principal. |
| homepage |
Home page or landing page of the application. |
| loginUrl |
Specifies the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. |
| logoutUrl |
Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols. |
| memberOf |
Roles that this service principal is a member of. |
| notificationEmailAddresses |
Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. |
| oauth2PermissionGrants |
Delegated permission grants authorizing this service principal to access an API on behalf of a signed-in user. |
| owners |
Directory objects that are owners of this servicePrincipal. The owners are a set of non-admin users or servicePrincipals who are allowed to modify this object. |
| preferredSingleSignOnMode |
Specifies the single sign-on mode configured for this application. |
| roles |
|
| samlSingleSignOnSettings |
The collection for settings related to saml single sign-on.
 |
NOTE: see SAML Single Sign-On (SSO) (Service Principals) attributes list below for detailed information on complex attribute. | |
| servicePrincipalNames |
Contains the list of identifiersUris, copied over from the associated application. |
| servicePrincipalType |
Identifies if the service principal represents an application or a managed identity. This is set by Microsoft Entra ID internally. For a service principal that represents an application this is set as Application. For a service principal that represent a managed identity this is set as ManagedIdentity. |
| signinAudience |
Specifies the Microsoft accounts that are supported for the current application. |
| ssoSettings |
|
| tags |
Custom strings that can be used to categorize and identify the service principal. |
| userAttributesAndClaims |
The attribute value shows how many attributes/claims were changed. This attribute can be restored if the User Attributes & Claims section was changed or a service principal was permanently deleted. |
SAML Single Sign-On (SSO)
SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple applications after logging into the identity provider. As the user must log in once, SAML SSO provides a faster, seamless user experience.
App Role Assignments
Microsoft Entra App Role assignments are used to assign application permissions to users. After a customer signs up to an application an admin for the Microsoft Entra directory assigns users to the roles, thus giving the user permission to the application. When a user signs in, the user's assigned roles are sent as claims.
| appRoleAssignmentRequired |
Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. |
| displayName (App Role) |
Display name for the permission that appears in the app role assignment and consent experiences. |
| memberOf (Directory Role) |
The directory roles that the user is a member of. |
| memberOf (Groups) |
The groups that the user is a member of. |
Applications (Application Registrations)
Applications (Application Registrations)
The lists below include all supported application registration attributes that can be restored by On Demand Recovery.
General
| api |
Specifies settings for an application that implements a web API.
|
|
NOTE: see API attributes list below for detailed information on complex attribute. | |
| applicationTemplateId |
Unique identifier of the applicationTemplate. |
| appRoles |
The collection of roles defined for the application. |
| defaultRedirectUri |
The default redirect URI. |
| displayName |
The display name of the application. |
| groupMembershipClaims |
Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. |
| identifierUris |
The URIs that identify the application within its Microsoft Entra tenant, or within a verified custom domain if the application is multi-tenant. |
| info |
Basic profile information of the application, such as it's marketing, support, terms of service, and privacy statement URLs.
|
|
NOTE: see Info attributes list below for detailed information on complex attribute. | |
| isFallbackPublicClient |
Specifies the fallback application type as public client, such as an installed application running on a mobile device. |
| optionalClaims |
Application developers can configure optional claims in their Microsoft Entra applications to specify the claims that are sent to their application by the Microsoft security token service.
|
|
NOTE: see Optional Claims attributes list below for detailed information on complex attribute. | |
| owners |
Directory objects that are owners of the application |
| publisherDomain |
The verified publisher domain for the application. |
| requiredResourceAccess |
Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience.
|
|
NOTE: see Required Resource Access attributes list below for detailed information on complex attribute. | |
| samlMetadataUrl |
The URL where the service exposes SAML metadata for federation. |
| signInAudience |
Specifies the Microsoft accounts that are supported for the current application. |
| spa |
Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens.
|
|
NOTE: see Spa attributes list below for detailed information on complex attribute. | |
| tags |
Custom strings that can be used to categorize and identify the application. |
| web |
Specifies settings for a web application.
|
|
NOTE: see Web attributes list below for detailed information on complex attribute. | |
API
| acceptMappedClaims |
When true, allows an application to use claims mapping without specifying a custom signing key. |
| knownClientApplications |
Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. |
| oauth2PermissionScopes |
The definition of the delegated permissions exposed by the web API represented by this application registration. |
| preAuthorizedApplications |
Lists the client applications that are pre-authorized with the specified delegated permissions to access this application's APIs. |
| requestAccessTokenVersion |
Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token. |
App Roles
Microsoft Entra Application Roles are used to assign application permissions to users. Application roles are defined by adding them to the application manifest. After a customer signs up to an application an admin for the Microsoft Entra directory assigns users to the roles, thus giving the user permission to the application. When a user signs in, the user's assigned roles are sent as claims.
| allowedMemberTypes |
Specifies whether this app role can be assigned to users and groups, to other applications, or both. |
| appRoles |
The collection of roles the application declares. |
| description |
The description for the app role. |
| displayName |
Display name for the permission that appears in the app role assignment and consent experiences. |
| id |
Unique role identifier inside the appRoles collection. |
| isEnabled |
When creating or updating an app role, this must be set to true (which is the default). |
| value |
Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. |
Info
| logoUrl |
CDN URL to the application's logo. Read-only. |
| marketingUrl |
Link to the application's marketing page. |
| privacyStatementUrl |
Link to the application's privacy statement. |
| supportUrl |
Link to the application's support page. |
| termsOfServiceUrl |
Link to the application's terms of service statement. |
Optional Claims
| accessToken |
The optional claims returned in the JWT access token. |
| idToken |
The optional claims returned in the JWT ID token. |
| saml2Token |
The optional claims returned in the SAML token. |
Required Resource Access
| resourceAppId |
|
The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application. |
| resourceAccess |
id
type |
The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource. |
Spa
| redirectUris |
Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. |
Web
| homePageUrl |
|
Home page or landing page of the application. |
| implicitGrantSettings |
enabledAccessTokenIssuance
enabledIdTokenIssuance |
Specifies whether this web application can request tokens using the OAuth 2.0 implicit flow. |
| logoutUrl |
|
Specifies the URL that will be used by Microsoft's authorization service to logout an user using front-channel, back-channel or SAML logout protocols. |
| redirectUris |
|
Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. |
| redirectUriSettings |
|
Specifies the index of the URLs where user tokens are sent for sign-in. This is only valid for applications using SAML. |
Application Proxy
The list below includes all supported Application Proxy attributes that can be restored by On Demand Recovery.
General
| alternateUrl |
A user-friendly URL that will point to the traffic manager. |
| applicationServerTimeout |
The duration the connector will wait for a response from the backend application before closing the connection. |
| externalAuthenticationType |
Details the pre-authentication setting for the application. Pre-authentication enforces that users must authenticate before accessing the app. |
| externalUrl |
The address your users will go to in order to access the app from outside your network. |
| internalUrl |
The URL that you use to access the application from inside your private network. |
| isBackendCertificateValidationEnabled |
Indicates whether backend SSL certificate validation is enabled for the application. |
| isHttpOnlyCookieEnabled |
Indicates if the HTTPOnly cookie flag should be set in the HTTP response headers. |
| isOnPremPublishingEnabled |
Indicates if the application is currently being published via Application Proxy or not. |
| isPersistentCookieEnabled |
Indicates if the Persistent cookie flag should be set in the HTTP response headers. |
| isSecureCookieEnabled |
Indicates if the Secure cookie flag should be set in the HTTP response headers. |
| isTranslateHostHeaderEnabled |
If set to true, translates URLs in headers. |
| isTranslateLinksInBodyEnabled |
If set to true, translates URLs in body. |
| singleSignOnSettings |
Represents the single sign-on configuration for the on-premises application. |
| useAlternateUrlForTranslationAndRedirect |
|
Connector Group
State: Enabled or Disabled
Assignments:
- Users and groups for which the policy is applied
- Cloud applications for which the policy is enabled
- Included/excluded locations
- Device platforms
Access controls:
- Block access
- Grant access (require multifactor authentication, compliant device or domain joined device)
Conditional Access Policy
Conditional Access Policy
The list below includes all supported Conditional Access Policy attributes that can be restored by On Demand Recovery.
General
| conditions |
Specifies the rules that must be met for the policy to apply. |
| displayName |
Specifies a display name for the conditionalAccessPolicy object. |
| grantControls |
Specifies the grant controls that must be fulfilled to pass the policy. |
| sessionControls |
Specifies the session controls that are enforced after sign-in. |
| state |
Specifies the state of the conditionalAccessPolicy object. |
