Skip to main content
IT Connect

Information technology tools and resources at the UW

Azure AD Application Model

This page exists to describe the Azure AD objects that represent any given Azure AD Application. This information can help you to understand what kinds of things can be configured or are associated with an Azure AD application. However, this is not an exhaustive compendium of all data stored in Azure AD about an Azure AD application–for example, this does not capture the Azure AD Conditional Access rules for any given Azure AD application.

Basic concepts were introduced on the Azure AD Application page. Now we’ll drill down into concepts by object type, then we’ll look at the objects and associated properties.

Concepts By Object Type

AAD object of type application

  • There are two types of AAD applications: confidential clients and public clients. Confidential clients need to authenticate as themselves, so must have credentials–these are typically web apps or code used to programmatically leverage the API of another AAD application. Public clients do not need to authenticate as themselves and typically represent native clients broadly distributed on many devices.
    • So each confidential client AAD application must have credentials so it can authenticate. For these AAD apps, they can choose between two types of credentials:
      • A password-like credential
      • A public/private certificate credential
  • Each AAD application must define what permissions to other AAD applications it needs. The minimum permission set is typically the ability to read Azure AD itself.
  • Each AAD application must define whether it is available to other AAD tenants
  • Each AAD application may define permission scopes that can be granted to other AAD applications. This is optional.
  • Each AAD application may define roles which users can be assigned to. This is optional.
  • Each AAD application may define URIs for which logon tokens associated with it are valid. This is optional, but depending on the scenario may be required.

AAD object of type servicePrincipal

  • Each AAD application instance may require assignment of users or groups. This is optional.
  • Each AAD application instance will record all consent permissions granted within that tenant.
  • Each AAD application instance will record any role assignments. Note that if assignment is required, a basic role is created even if the application doesn’t define any roles.
  • Each AAD application instance may have URIs defined for which logon tokens associated with it are valid. This is optional, but depending on the scenario may be required.

Objects and Properties

  • Application
    • oauth2Permissions – These are the defined permission scopes. For example read, write, etc.
    • appRoles – These are the defined roles. For example, Reader, Writer, Admin, etc.
    • requiredResourceAccess – This is the list of applications and associated permission scopes that this AAD application requires access to.
    • availableToOtherTenants – This is a Boolean that indicates whether this application can be instantiated as a service principal in another tenant.
    • passwordCredentials – This represents the password credentials used by a confidential client app to authenticate as itself. Once written, you can not read this value.
    • keyCredentials – This represents the public/private certificate credentials used by a confidential client app to authenticate as itself.
    • publicClient – This indicates whether this application is a public client or a confidential client, where null represents a confidential client.
    • replyUrls – URIs for which logon tokens requested by this AAD application are issued to. This is optional, but depending on the scenario may be required.
    • displayName – A human-friendly name for the servicePrincipal.
    • objectId – A unique identifier for the servicePrincipal
    • appId – A unique identifier for the servicePrincipal
    • errorUrl – The URI to send a client to when an error is raised. Optional.
    • logoutUrl – The URI to send a client to when a logout is requested. Optional.
    • samlMetadataUrl –
    • groupMembershipClaims –
    • homepage –
    • identifierUris –
    • knownClientApplications –
    • oauth2AllowImplicitFlow – Boolean.
    • oauth2AllowUrlPathMatching – Boolean
    • oauth2RequirePostResponse – Boolean
  • ServicePrincipal
    • oauth2Permissions – This represents the list of all user consent permissions granted for this application instance. An entry with consenttype=allPrincipals represents an admin consent.
    • appRoles – These are the defined roles. For example, Reader, Writer, Admin, etc.
    • appRoleAssignedTo – This represents the list of all role assignments for this application instance.
    • appRoleAssignmentRequired – This is a Boolean that indicates whether this application requires assignment in order for a given user to access it.
    • replyUrls – URIs for which logon tokens requested by this AAD application are issued to. This is optional, but depending on the scenario may be required.
    • accountEnabled – whether this AAD application instance is enabled.
    • passwordCredentials – This represents the password credentials used by a confidential client app to authenticate as itself. Once written, you can not read this value.
    • keyCredentials – This represents the public/private certificate credentials used by a confidential client app to authenticate as itself.
    • appOwnerTenantId – The unique identifier for the home tenant of the AAD application this servicePrincipal is an instance of.
    • publisherName – The name of the home tenant of the AAD application this servicePrincipal is an instance of.
    • appDisplayName – A human-friendly name for the servicePrincipal.
    • displayName – A human-friendly name for the servicePrincipal.
    • objectId – A unique identifier for the servicePrincipal
    • appId – A unique identifier for the servicePrincipal
    • errorUrl – The URI to send a client to when an error is raised. Optional.
    • logoutUrl – The URI to send a client to when a logout is requested. Optional.
    • samlMetadataUrl –
    • servicePrincipalNames –
    • preferredTokenSigningKeyThumbprint –
    • homepage –