Azure Active Directory applications and Azure Active Directory service principals
When an application is registered in an Azure Active Directory tenant, it creates an associated Azure Active Directory service principal. There are so-called app roles defined for applications. Azure Active Directory users, Azure Active Directory groups, or Azure Active Directory service principals can use app roles to provide permissions or functions for the application.
For detailed information about integrating applications into Azure Active Directory, see the Azure Active Directory documentation from Microsoft.
Information about Azure Active Directory applications, Azure Active Directory service principals, and app roles within an Azure Active Directory tenant is loaded into One Identity Manager during synchronization. You cannot create new Azure Active Directory applications, Azure Active Directory service principals, and app roles in One Identity Manager but you can specify owners of applications and service principals and create or delete app roles in One Identity Manager.
Detailed information about this topic
Displaying information about Azure Active Directory applications
The information about the Azure Active Directory application is loaded into One Identity Manager during synchronization. All the Azure Active Directory applications with their Azure Active Directory service principals that are registered in this Azure Active Directory tenant are loaded for each Azure Active Directory tenant.
IF an Azure Active Directory application is used in an Azure Active Directory tenant that is registered in another Azure Active Directory tenant, only the Azure Active Directory service principal and not the Azure Active Directory application is loaded into One Identity Manager.
You cannot create Azure Active Directory applications in One Identity Manager.
To display information about an Azure Active Directory application
-
In the Manager, select the Azure Active Directory > Applications category.
-
In the result list, select the Azure Active Directory application.
-
Select one of the following tasks:
-
Azure Active Directory application overview: This shows you an overview of the Azure Active Directory application and its dependencies.
-
Change main data: Shows the Azure Active Directory application's main data.
-
Assign owners: Shows the Azure Active Directory application's owners. You can assign owners to an application or remove them again.
Related topics
Assigning owners to Azure Active Directory applications
Use this task to assign owners to an Azure Active Directory application or to remove them from an Azure Active Directory application. Owners of Azure Active Directory application can show the application registration in Azure Active Directory and edit it.
To assign owners to an Azure Active Directory application
-
In the Manager, select the Azure Active Directory > Applications category.
-
In the result list, select the Azure Active Directory application.
-
Select the Assign owner task.
-
In the Table menu, select the Azure Active Directory user accounts (AADUser) item.
-
In the Add assignments pane, assign owners.
TIP: In the Remove assignments pane, you can remove assigned owners.
To remove an assignment
- Save the changes.
Displaying Azure Active Directory applications
The information about the Azure Active Directory application is loaded into One Identity Manager during synchronization. You cannot edit Azure Active Directory application main data.
To display an Azure Active Directory application's main data
-
In the Manager, select the Azure Active Directory > Applications category.
-
In the result list, select the Azure Active Directory application.
-
Select Change main data.
Table 39: Azure Active Directory application main data
|
Display name |
Display name of the application. |
|
Publisher domain |
Name of the application's verified publisher domain. |
|
Registration date |
Date and time when the application was registered. |
|
Group membership claim |
Group membership claim expected by the application. Group types that are included in the access, ID, and SAML tokens. Permitted values are:
|
|
Logo URL |
Link to the application's logo. |
|
Marketing URL |
Link to the application's marketing page. |
|
Privacy statement URL |
Link to the application's privacy statement. |
|
Service URL |
Link to the application's support page. |
|
Terms of service URL |
Link to the application's terms of service. |
|
Fallback public client |
Specifies whether the fallback application type is a public client, such as an application installed and running on a mobile device. The default value is false meaning the fallback application type is a confidential client such as a web application. If the option is disabled, it means that the fallback application type is a confidential client, such as a web application (default). |
|
Supported user accounts |
Specifies which Microsoft user accounts for the current application are supported. Permitted values are:
-
Accounts in this organizational directory only
-
Accounts in any organizational directory
-
Accounts in any organizational directory and personal Microsoft accounts
-
Only personal Microsoft accounts |
|
Token issuance policies |
Name of the policy for issuing tokens. |
|
Token lifetime policy |
Name of the policy for token lifetimes. |
|
Tags |
User-defined string to use for categorizing and identifying the application. |
Related topics
.