Entra ID Application Object schema

Last updated: November 15, 2023
Audience: IT Staff / Technical

This page describes the Entra ID objects that represent any given Entra ID Application. This information can help you to understand what kinds of things can be configured or are associated with an Entra ID application. However, this is not an exhaustive compendium of all data stored in Entra ID about an Entra ID application–for example, this does not capture the Entra ID Conditional Access rules for any given Entra ID application.

Basic concepts were introduced on the Entra ID App Basics page. Now we’ll drill down into concepts by object type, then we’ll look at the objects and associated properties.

Concepts By Object Type

Entra ID object of type application

  • There are two types of Entra ID applications: confidential clients and public clients. Confidential clients need to authenticate as themselves, so must have credentials–these are typically web apps or code used to programmatically leverage the API of another Entra ID application. Public clients do not need to authenticate as themselves and typically represent native clients broadly distributed on many devices.
    • So each confidential client Entra ID application must have credentials so it can authenticate. For these Entra ID apps, they can choose between two types of credentials:
      • A password-like credential
      • A public/private certificate credential
  • Each Entra ID application must define what permissions to other Entra ID applications it needs. The minimum permission set is typically the ability to read Entra ID itself.
  • Each Entra ID application must define whether it is available to other Entra ID tenants
  • Each Entra ID application may define permission scopes that can be granted to other Entra ID applications. This is optional.
  • Each Entra ID application may define roles which users can be assigned to. This is optional.
  • Each Entra ID application may define URIs for which logon tokens associated with it are valid. This is optional, but depending on the scenario may be required.

Entra ID object of type servicePrincipal

  • Each Entra ID application instance may require assignment of users or groups. This is optional.
  • Each Entra ID application instance will record all consent permissions granted within that tenant.
  • Each Entra ID application instance will record any role assignments. Note that if assignment is required, a basic role is created even if the application doesn’t define any roles.
  • Each Entra ID application instance may have URIs defined for which logon tokens associated with it are valid. This is optional, but depending on the scenario may be required.

Objects and Properties

  • Application
    • oauth2Permissions – These are the defined permission scopes. For example read, write, etc.
    • appRoles – These are the defined roles. For example, Reader, Writer, Admin, etc.
    • requiredResourceAccess – This is the list of applications and associated permission scopes that this Entra ID application requires access to.
    • availableToOtherTenants – This is a Boolean that indicates whether this application can be instantiated as a service principal in another tenant.
    • passwordCredentials – This represents the password credentials used by a confidential client app to authenticate as itself. Once written, you can not read this value.
    • keyCredentials – This represents the public/private certificate credentials used by a confidential client app to authenticate as itself.
    • publicClient – This indicates whether this application is a public client or a confidential client, where null represents a confidential client.
    • replyUrls – URIs for which logon tokens requested by this Entra ID application are issued to. This is optional, but depending on the scenario may be required.
    • displayName – A human-friendly name for the servicePrincipal.
    • objectId – A unique identifier for the servicePrincipal
    • appId – A unique identifier for the servicePrincipal
    • errorUrl – The URI to send a client to when an error is raised. Optional.
    • logoutUrl – The URI to send a client to when a logout is requested. Optional.
    • samlMetadataUrl –
    • groupMembershipClaims –
    • homepage –
    • identifierUris –
    • knownClientApplications –
    • oauth2AllowImplicitFlow – Boolean.
    • oauth2AllowUrlPathMatching – Boolean
    • oauth2RequirePostResponse – Boolean
  • ServicePrincipal
    • oauth2PermissionGrants – This represents the list of all user consent permissions granted for this application instance. An entry with consenttype=allPrincipals represents an admin consent.
    • appRoles – These are the defined roles. For example, Reader, Writer, Admin, etc.
    • appRoleAssignedTo – This represents the list of all role assignments for this application instance.
    • appRoleAssignmentRequired – This is a Boolean that indicates whether this application requires assignment in order for a given user to access it.
    • replyUrls – URIs for which logon tokens requested by this Entra ID application are issued to. This is optional, but depending on the scenario may be required.
    • accountEnabled – whether this Entra ID application instance is enabled.
    • passwordCredentials – This represents the password credentials used by a confidential client app to authenticate as itself. Once written, you can not read this value.
    • keyCredentials – This represents the public/private certificate credentials used by a confidential client app to authenticate as itself.
    • appOwnerTenantId – The unique identifier for the home tenant of the Entra ID application this servicePrincipal is an instance of.
    • publisherName – The name of the home tenant of the Entra ID application this servicePrincipal is an instance of.
    • appDisplayName – A human-friendly name for the servicePrincipal.
    • displayName – A human-friendly name for the servicePrincipal.
    • objectId – A unique identifier for the servicePrincipal
    • appId – A unique identifier for the servicePrincipal
    • errorUrl – The URI to send a client to when an error is raised. Optional.
    • logoutUrl – The URI to send a client to when a logout is requested. Optional.
    • samlMetadataUrl –
    • servicePrincipalNames –
    • preferredTokenSigningKeyThumbprint –
    • homepage –