Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This guide provides an overview of key concepts, API use cases, and resources to help you automate the lifecycle management of Microsoft Entra applications.
Applications and service principals
In Microsoft Entra, an application is defined by an application object and a service principal object. There's only one application object for your application across Microsoft Entra, but there can be multiple service principal objects for your application.
The application object is located in the tenant where the app is registered. A service principal is created in the tenant where the app is registered, and in every tenant where it's installed and used. For more information, see Application and service principal objects in Microsoft Entra ID.
In Microsoft Graph, an application is represented by the application resource type, and a service principal is represented by the servicePrincipal resource type. The details of the two objects can be accessed on the Microsoft Entra admin center through the Entra ID > App registrations and Entra ID > Enterprise applications menus respectively.
API use cases for managing applications
The following API use cases are supported for managing applications through the application resource type in Microsoft Graph.
| Use cases | API operations |
|---|---|
| Register an application and configure its basic properties | Create application |
Configure properties for a registered application including:
|
Update application |
| Delete an application | Delete application |
| Manage deleted applications | |
| Manage password credentials for an application | |
| Manage federated identity credentials for an application | Start managing federated identity credentials using Microsoft Graph |
| Manage certificate-based credentials for an application |
|
| Manage directory extensions on applications |
|
| Track changes to an application |
|
| Manage owners | |
| Manage publisher verification |
API use cases for managing service principals
The following API use cases are supported for managing service principals through the servicePrincipal resource type in Microsoft Graph.
| Use cases | API operations |
|---|---|
| Register service principal | Create servicePrincipal |
| Configure properties for a service principal including: - Basic properties such as display name and logo - Permissions - Configure SSO mode |
Update servicePrincipal |
| Delete a service principal | Delete servicePrincipal |
| Manage deleted service principals: view, restore, or permanently delete | - List deletedItems - List deletedItems owned by a user - Get deleted item - Permanently delete item - Restore deleted item |
| Manage password credentials for a service principal | - servicePrincipal: addPassword - servicePrincipal: removePassword |
| Manage certificate-based credentials for a service principal | - servicePrincipal: addKey - servicePrincipal: removeKey |
| Add a SAML token signing certificate | servicePrincipal: addTokenSigningCertificate |
| Track changes to a service principal | - servicePrincipal: delta - directoryObject: delta with the following filter: ..?$filter=isof('microsoft.graph.servicePrincipal') |
| Manage owners | - List owners - Add owner - Remove owner |
Application templates
Application templates are apps available in the Microsoft Entra app gallery. Use the applicationTemplate resource type and its associated methods to:
- Identify apps from the application gallery.
- Identify apps by the SSO mode they support.
- Instantiate an app and service principal from an application gallery.
Policies applicable to applications and service principals
| Policy description | API operations | Applies to |
|---|---|---|
| Manage Microsoft Entra ID Remote Desktop Services (RDS) authentication protocol | remoteDesktopSecurityConfiguration resource type and its associated methods | Service principals |
| Configure SAML tokens policy | tokenIssuancePolicy resource type and its associated methods | Applications Service principals |
| Configure policies for access, SAML, and ID tokens | Token lifetime policy - tokenLifetimePolicy resource type and its associated methods Token issuance policy - tokenIssuancePolicy resource type and its associated methods |
Applications Service principals |
| Manage idle session time-out for Microsoft 365 web apps, for all device types Note: To trigger the policy only for unmanaged devices, you also need to add a Conditional Access policy. |
activityBasedTimeoutPolicy resource type and its associated methods | Microsoft 365 web apps |
| Manage policies for how certificates and password secrets can be used in your organization. Create tenant-wide policies or app-specific policies such as blocking the use of or restricting the lifetime of password secrets or symmetric keys and enforcing trusted certificate authorities | Application authentication methods policies | Applications |
| Manage claims mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, and the applications the policies apply to | claimsMappingPolicy resource type and its associated methods | Service principals |
| Manage Home Realm Discovery (HRD) for the tenant and assignment of the policy to a service principal | homeRealmDiscoveryPolicy resource type and its associated methods | Service principals |
Identity synchronization (provisioning)
Provisioning APIs in Microsoft Graph let you automate and manage the provisioning and deprovisioning of identities in these scenarios:
- From your on-premises Active Directory to Microsoft Entra ID
- From other cloud directories to Microsoft Entra ID
- From Microsoft Entra ID to cloud applications like Dropbox, Salesforce, ServiceNow, and more
For more information, see Microsoft Entra synchronization API overview.