Chat now with support
Chat with Support

On Demand Recovery Current - Supported Attributes

Service Principals (Enterprise Applications)

The lists below include all supported Enterprise application attributes that can be restored by On Demand Recovery.

 

General

Attribute Name Description
accountEnabled True if the service principal account is enabled; otherwise, False.
alternativeNames Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appId The unique identifier for the associated application (its appId property).
applicationProxy  

applicationTemplateId (Gallery App only)

Unique identifier of the applicationTemplate that the servicePrincipal was created from.
appRoleAssignedTo App role assignments for this app or service, granted to users, groups, and other service principals.
appRoleAssignmentRequired Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens.
appRoleAssignments App role assignment for another app or service, granted to this service principal.
appRoles The roles exposed by the application which this service principal represents.
displayName The display name of the service principal.
homepage Home page or landing page of the application.
loginUrl Specifies the URL where the service provider redirects the user to Azure AD to authenticate.
logoutUrl Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols.
memberOf Roles that this service principal is a member of.
notificationEmailAddresses Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date.
oauth2PermissionGrants Delegated permission grants authorizing this service principal to access an API on behalf of a signed-in user.
owners Directory objects that are owners of this servicePrincipal. The owners are a set of non-admin users or servicePrincipals who are allowed to modify this object.
preferredSingleSignOnMode Specifies the single sign-on mode configured for this application.
roles  
samlSingleSignOnSettings

The collection for settings related to saml single sign-on.

NOTE: see SAML Single Sign-On (SSO) (Service Principals) attributes list below for detailed information on complex attribute.
servicePrincipalNames Contains the list of identifiersUris, copied over from the associated application.
servicePrincipalType Identifies if the service principal represents an application or a managed identity. This is set by Azure AD internally. For a service principal that represents an application this is set as Application. For a service principal that represent a managed identity this is set as ManagedIdentity.
signinAudience Specifies the Microsoft accounts that are supported for the current application.
ssoSettings  
tags Custom strings that can be used to categorize and identify the service principal.
userAttributesAndClaims The attribute value shows how many attributes/claims were changed. This attribute can be restored if the User Attributes & Claims section was changed or a service principal was permanently deleted.

 

SAML Single Sign-On (SSO)

SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple applications after logging into the identity provider. As the user must log in once, SAML SSO provides a faster, seamless user experience.

Attribute Name
relayState

 

App Role Assignments

Azure App Role assignments are used to assign application permissions to users. After a customer signs up to an application an admin for the Azure AD directory assigns users to the roles, thus giving the user permission to the application. When a user signs in, the user's assigned roles are sent as claims.

Attribute Name Description
appRoleAssignmentRequired Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens.
displayName (App Role) Display name for the permission that appears in the app role assignment and consent experiences.
memberOf (Directory Role) The directory roles that the user is a member of.
memberOf (Groups) The groups that the user is a member of.

Applications (Application Registrations)

The lists below include all supported application registration attributes that can be restored by On Demand Recovery.

 

General

Attribute Name Description
api

Specifies settings for an application that implements a web API.

NOTE: see API attributes list below for detailed information on complex attribute.

applicationTemplateId Unique identifier of the applicationTemplate.
appRoles The collection of roles defined for the application.
defaultRedirectUri The default redirect URI.
displayName The display name of the application.
groupMembershipClaims Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects.
identifierUris The URIs that identify the application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant.
info

Basic profile information of the application, such as it's marketing, support, terms of service, and privacy statement URLs.

NOTE: see Info attributes list below for detailed information on complex attribute.

isFallbackPublicClient Specifies the fallback application type as public client, such as an installed application running on a mobile device.
optionalClaims

Application developers can configure optional claims in their Azure AD applications to specify the claims that are sent to their application by the Microsoft security token service.

NOTE: see Optional Claims attributes list below for detailed information on complex attribute.

owners Directory objects that are owners of the application
publisherDomain The verified publisher domain for the application.
requiredResourceAccess

Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience.

NOTE: see Required Resource Access attributes list below for detailed information on complex attribute.

samlMetadataUrl The URL where the service exposes SAML metadata for federation.
signInAudience Specifies the Microsoft accounts that are supported for the current application.
spa

Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens.

NOTE: see Spa attributes list below for detailed information on complex attribute.

tags Custom strings that can be used to categorize and identify the application.
web

Specifies settings for a web application.

NOTE: see Web attributes list below for detailed information on complex attribute.

 

API

Attribute Name Description
acceptMappedClaims When true, allows an application to use claims mapping without specifying a custom signing key.
knownClientApplications Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app.
oauth2PermissionScopes The definition of the delegated permissions exposed by the web API represented by this application registration.
preAuthorizedApplications Lists the client applications that are pre-authorized with the specified delegated permissions to access this application's APIs.
requestAccessTokenVersion Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.

 

App Roles

Azure Application Roles are used to assign application permissions to users. Application roles are defined by adding them to the application manifest. After a customer signs up to an application an admin for the Azure AD directory assigns users to the roles, thus giving the user permission to the application. When a user signs in, the user's assigned roles are sent as claims.

Attribute Name Description
allowedMemberTypes Specifies whether this app role can be assigned to users and groups, to other applications, or both.
appRoles The collection of roles the application declares.
description The description for the app role.
displayName Display name for the permission that appears in the app role assignment and consent experiences.
id Unique role identifier inside the appRoles collection.
isEnabled When creating or updating an app role, this must be set to true (which is the default).
value Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal.

Info

Attribute Name Description
logoUrl CDN URL to the application's logo. Read-only.
marketingUrl Link to the application's marketing page.
privacyStatementUrl Link to the application's privacy statement.
supportUrl Link to the application's support page.
termsOfServiceUrl Link to the application's terms of service statement.

 

Optional Claims

Attribute Name Description
accessToken The optional claims returned in the JWT access token.
idToken The optional claims returned in the JWT ID token.
saml2Token The optional claims returned in the SAML token.

 

Required Resource Access

Attribute Name Sub-Attribute Name  
resourceAppId   The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
resourceAccess

id

type

The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource.

 

Spa

Attribute Name Description
redirectUris Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.

 

Web

Attribute Name Sub-Attribute Name Description
homePageUrl   Home page or landing page of the application.
implicitGrantSettings

enabledAccessTokenIssuance

enabledIdTokenIssuance

Specifies whether this web application can request tokens using the OAuth 2.0 implicit flow.
logoutUrl   Specifies the URL that will be used by Microsoft's authorization service to logout an user using front-channel, back-channel or SAML logout protocols.
redirectUris   Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
redirectUriSettings   Specifies the index of the URLs where user tokens are sent for sign-in. This is only valid for applications using SAML.

Application Proxy

The list below includes all supported Application Proxy attributes that can be restored by On Demand Recovery.

General

Attribute Name Description
alternateUrl A user-friendly URL that will point to the traffic manager.
applicationServerTimeout The duration the connector will wait for a response from the backend application before closing the connection.
externalAuthenticationType Details the pre-authentication setting for the application. Pre-authentication enforces that users must authenticate before accessing the app.
externalUrl The address your users will go to in order to access the app from outside your network.
internalUrl The URL that you use to access the application from inside your private network.
isBackendCertificateValidationEnabled Indicates whether backend SSL certificate validation is enabled for the application.
isHttpOnlyCookieEnabled Indicates if the HTTPOnly cookie flag should be set in the HTTP response headers.
isOnPremPublishingEnabled Indicates if the application is currently being published via Application Proxy or not.
isPersistentCookieEnabled Indicates if the Persistent cookie flag should be set in the HTTP response headers.
isSecureCookieEnabled Indicates if the Secure cookie flag should be set in the HTTP response headers.
isTranslateHostHeaderEnabled If set to true, translates URLs in headers.
isTranslateLinksInBodyEnabled If set to true, translates URLs in body.
singleSignOnSettings Represents the single sign-on configuration for the on-premises application.
useAlternateUrlForTranslationAndRedirect  

 

Connector Group

Attribute Name
name
region

 

State: Enabled or Disabled

Assignments:

  • Users and groups for which the policy is applied
  • Cloud applications for which the policy is enabled
  • Included/excluded locations
  • Device platforms

Access controls:

  • Block access
  • Grant access (require multifactor authentication, compliant device or domain joined device)

Conditional Access Policy

The list below includes all supported Conditional Access Policy attributes that can be restored by On Demand Recovery.

 

General

Attribute Name Description
conditions Specifies the rules that must be met for the policy to apply.
displayName Specifies a display name for the conditionalAccessPolicy object.
grantControls Specifies the grant controls that must be fulfilled to pass the policy.
sessionControls Specifies the session controls that are enforced after sign-in.
state Specifies the state of the conditionalAccessPolicy object.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating