Use this task to assign owners to an Azure Active Directory service principal or to remove them from a service principal.
To assign owners to an Azure Active Directory application
-
In the Manager, select the Azure Active Directory > Service principals category.
-
In the result list, select the Azure Active Directory service principal.
-
Select the Assign owner task.
-
In the Table menu, select one of the following entries.
-
In the Add assignments pane, assign owners.
TIP: In the Remove assignments pane, you can remove assigned owners.
To remove an assignment
- Save the changes.
There are so-called app roles defined for app registrations. Azure Active Directory users, Azure Active Directory groups, or Azure Active Directory service principals can use app roles to provide permissions or functions for the application.
App roles and their assignments are loaded into One Identity Manager by synchronization. However, you cannot create new app roles in . In , you can add or remove authorizations for the service principals and their app registrations respectively.
To assign authorizations to an Azure Active Directory service principal
-
In the Manager, select the Azure Active Directory > Service principals category.
-
In the result list, select the Azure Active Directory service principal.
-
Select the Assign authorizations task.
-
In the Assignments pane, click Add and enter the following data.
-
Authorized for: Specify the user account, group, or service principal for the authorization.
-
Click next to the field.
-
Under Table, select one of the following tables:
-
To authorize a user account, select AADUser.
-
To authorize a group, select AADGroup.
-
To authorize a service principal, select AADServicePrincipal.
-
Under Authorized for, select the user account, group, or service principal.
-
Click OK.
-
App role: Select the app role for the authorization.
NOTE: If there is no app role defined for a service principal, leave this item empty to authorize the user account, group, or service principal.
-
Save the changes.
To remove authorizations from an Azure Active Directory service principal
-
In the Manager, select the Azure Active Directory > Service principals category.
-
In the result list, select the Azure Active Directory service principal.
-
Select the Assign authorizations task.
-
In the Assignments pane, select the authorization you want to remove.
-
Click Remove.
-
Save the changes.
This task allows you to display the service principals that represent enterprise applications.
To display enterprise applications
-
In the Manager, select the Azure Active Directory > Service principals category.
-
Select one of the following entries:
-
In the result list, select the Azure Active Directory service principal.
-
Select one of the following tasks:
-
Azure Active Directory service principal overview: This shows you an overview of the Azure Active Directory service principal and its dependencies.
-
Change main data: This displays the Azure Active Directory service principal's main data.
-
Assign owners: This displays the Azure Active Directory service principals owners. You can assign owners to a service principal or remove them.
-
Assign authorizations: This displays user accounts, groups, and service principals with their assigned app roles. You can create more authorizations or removed them.
Related topics
The information about the Azure Active Directory service principal is loaded into One Identity Manager during synchronization. You cannot edit Azure Active Directory service principal main data.
To display an Azure Active Directory service principal's main data
-
In the Manager, select the Azure Active Directory > Service principals category.
-
In the result list, select the Azure Active Directory service principal.
-
Select the Change main data task.
Table 45: General main data for an Azure Active Directory service principal
Display name |
Name for displaying the service principal. |
Alternative names |
Alternative names for the service principal. This is used to call service principals by subscription, to identify resource groups and full resource IDs for managing identities. |
Web page |
Home page of the Azure Active Directory application. |
Enabled |
Specifies whether the service principal is enabled. |
Application display name. |
Display name of the associated Azure Active Directory application. |
App role assignment required |
Specifies whether users or other service principals must be assigned an app role for this service principal before they can login or obtain application tokens. |
Logo URL |
Link to the application's logo. |
Marketing URL |
Link to the application's marketing page. |
Privacy statement URL |
Link to the application's privacy statement. |
Service URL |
Link to the application's support page. |
Terms of service URL |
Link to the application's terms of service. |
Login URL |
URL that the identity provider uses to reroute the user to Azure Active Directory for authentication. |
Logout URL |
URL that the Microsoft authorization service uses to log out a user using OPENID Connect front channel, OpenID Connect back-channel, or SAML logout protocols. |
Notification mail addresses |
List of email addresses that Azure Active Directory sends a notification to if the active certificate is nearing the expiration date. |
Preferred single sign-on mode |
Single sign-on mode configured for this Azure Active Directory application. |
Reply URLs |
URLs that user tokens are sent to for logging in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. |
Service principal names |
Contains the list of URIs that identify the associated Azure Active Directory application within its Azure Active Directory tenant, or within a verified custom domain, if the Azure Active Directory application is an Azure Active Directory multi-tenant. |
Service principal type |
Type of service principal, for example, an application or a managed identity. The type is set internally by Azure Active Directory. |
Encryption key ID |
ID of the public key for logging in using certificates. |
Home realm discovery policy |
Name of the home realm discovery policy. |
Delete date |
Time at which the service principal was deleted. |
Tags |
User-defined string to use for categorizing and identifying the application. |
Related topics