Azure Active Directory app registrations and Azure Active Directory service principals
When an application is registered in an Azure Active Directory tenant, it creates an associated Azure Active Directory service principal. There are so-called app roles defined for app registrations. Azure Active Directory users, Azure Active Directory groups, or Azure Active Directory service principals can use app roles to provide permissions or functions for the application.
For more information about integrating applications in Azure Active Directory, see the Azure Active Directory documentation from Microsoft.
Information about Azure Active Directory app registrations, Azure Active Directory service principals, and app roles within an Azure Active Directory tenant is loaded into One Identity Manager during synchronization.
If an Azure Active Directory application is used in an Azure Active Directory tenant that is registered in another Azure Active Directory tenant, only the Azure Active Directory service principal and not the Azure Active Directory app registration is loaded into One Identity Manager.
You cannot create new Azure Active Directory app registrations, Azure Active Directory service principals, and app roles in One Identity Manager but you can specify owners of app registrations and service principals and create or delete app roles in One Identity Manager.
Detailed information about this topic
Displaying information about Azure Active Directory app registrations
The information about the Azure Active Directory app registration is loaded into One Identity Manager during synchronization. All the Azure Active Directory app registrations with their Azure Active Directory service principals that are registered in this Azure Active Directory tenant are loaded for an Azure Active Directory tenant.
If an Azure Active Directory application is used in an Azure Active Directory tenant that is registered in another Azure Active Directory tenant, only the Azure Active Directory service principal and not the Azure Active Directory app registration is loaded into One Identity Manager.
You cannot create Azure Active Directory app registrations in One Identity Manager.
To display information about an Azure Active Directory app registration
-
In the Manager, select the Azure Active Directory > App registrations category.
-
Select the Azure Active Directory app registration in the result list.
-
Select one of the following tasks:
-
Azure Active Directory app registration overview: This shows you an overview of the Azure Active Directory app registration and its dependencies.
-
Change main data: Shows the Azure Active Directory app registration's main data.
-
Assign owners: Shows the Azure Active Directory app registration's owners. You can assign owners to an app registration or remove them again.
Related topics
Assigning owners to Azure Active Directory app registrations
Use this task to assign owners to an Azure Active Directory app registration or to remove them from an Azure Active Directory application. Azure Active Directory app registration owners can display and edit app registrations in Azure Active Directory.
To assign owners to an Azure Active Directory app registration
-
In the Manager, select the Azure Active Directory > App registrations category.
-
Select the Azure Active Directory app registration in the result list.
-
Select the Assign owner task.
-
In the Table menu, select the Azure Active Directory user accounts (AADUser) item.
-
In the Add assignments pane, assign owners.
TIP: In the Remove assignments pane, you can remove assigned owners.
To remove an assignment
- Save the changes.
Displaying Azure Active Directory app registration main data
The information about the Azure Active Directory app registration is loaded into One Identity Manager during synchronization. You cannot edit Azure Active Directory app registration main data.
To display an Azure Active Directory app registration's main data
-
In the Manager, select the Azure Active Directory > App registrations category.
-
Select the Azure Active Directory app registration in the result list.
-
Select Change main data.
Table 40: Main data of an Azure Active Directory app registration
Display name |
Display name of the application. |
Publisher domain |
Name of the application's verified publisher domain. |
Registration date |
Date and time when the application was registered. |
Group membership claim |
Group membership claim expected by the application. Group types that are included in the access, ID, and SAML tokens. Permitted values are:
-
None: No group types
-
All: All group types
-
Security groups: Security groups with the user as a member.
-
Application groups: Application groups in which the user is a member.
-
Directory roles: Directory roles that are assigned to the user. |
Logo URL |
Link to the application's logo. |
Marketing URL |
Link to the application's marketing page. |
Privacy statement URL |
Link to the application's privacy statement. |
Service URL |
Link to the application's support page. |
Terms of service URL |
Link to the application's terms of service. |
Fallback public client |
Specifies whether the fallback application type is a public client, such as an application installed and running on a mobile device. The default value is false meaning the fallback application type is a confidential client such as a web application. If the option is disabled, it means that the fallback application type is a confidential client, such as a web application (default). |
Supported user accounts |
Specifies which Microsoft user accounts for the current application are supported. Permitted values are:
-
Accounts in this organizational directory only
-
Accounts in any organizational directory
-
Accounts in any organizational directory and personal Microsoft accounts
-
Only personal Microsoft accounts |
Token issuance policies |
Name of the policy for issuing tokens. |
Token lifetime policy |
Name of the policy for token lifetimes. |
Tags |
User-defined string to use for categorizing and identifying the application. |
Related topics