Share via


az ad app

Manage Microsoft Entra applications.

Commands

Name Description Type Status
az ad app create

Create an application.

Core GA
az ad app credential

Manage an application's password or certificate credentials.

Core GA
az ad app credential delete

Delete an application's password or certificate credentials.

Core GA
az ad app credential list

List an application's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.).

Core GA
az ad app credential reset

Reset an application's password or certificate credentials.

Core GA
az ad app delete

Delete an application.

Core GA
az ad app federated-credential

Manage application federated identity credentials.

Core GA
az ad app federated-credential create

Create application federated identity credential.

Core GA
az ad app federated-credential delete

Delete application federated identity credential.

Core GA
az ad app federated-credential list

List application federated identity credentials.

Core GA
az ad app federated-credential show

Show application federated identity credential.

Core GA
az ad app federated-credential update

Update application federated identity credential.

Core GA
az ad app list

List applications.

Core GA
az ad app owner

Manage application owners.

Core GA
az ad app owner add

Add an application owner.

Core GA
az ad app owner list

List application owners.

Core GA
az ad app owner remove

Remove an application owner.

Core GA
az ad app permission

Manage an application's OAuth2 permissions.

Core GA
az ad app permission add

Add an API permission.

Core GA
az ad app permission admin-consent

Grant Application & Delegated permissions through admin-consent.

Core GA
az ad app permission delete

Remove an API permission.

Core GA
az ad app permission grant

Grant the app an API Delegated permissions.

Core GA
az ad app permission list

List API permissions the application has requested.

Core GA
az ad app permission list-grants

List Oauth2 permission grants.

Core GA
az ad app show

Get the details of an application.

Core GA
az ad app update

Update an application.

Core GA

az ad app create

Create an application.

For more detailed documentation, see https://learn.microsoft.com/graph/api/resources/application.

az ad app create --display-name
                 [--app-roles]
                 [--enable-access-token-issuance {false, true}]
                 [--enable-id-token-issuance {false, true}]
                 [--end-date]
                 [--identifier-uris]
                 [--is-fallback-public-client {false, true}]
                 [--key-display-name]
                 [--key-type {AsymmetricX509Cert, Password, Symmetric}]
                 [--key-usage {Sign, Verify}]
                 [--key-value]
                 [--optional-claims]
                 [--public-client-redirect-uris]
                 [--requested-access-token-version]
                 [--required-resource-accesses]
                 [--service-management-reference]
                 [--sign-in-audience {AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount}]
                 [--start-date]
                 [--web-home-page-url]
                 [--web-redirect-uris]

Examples

Create an application.

az ad app create --display-name mytestapp

Create an application that can fall back to public client with Microsoft Graph delegated permission User.Read

az ad app create --display-name my-public --is-fallback-public-client --required-resource-accesses @manifest.json
("manifest.json" contains the following content)
[{
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
        {
            "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
            "type": "Scope"
        }
   ]
}]

Create an application with a role

az ad app create --display-name mytestapp --identifier-uris https://mytestapp.websites.net --app-roles @manifest.json
("manifest.json" contains the following content)
[{
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Approvers can mark documents as approved",
    "displayName": "Approver",
    "isEnabled": "true",
    "value": "approver"
}]

Create an application with optional claims

az ad app create --display-name mytestapp --optional-claims @manifest.json
("manifest.json" contains the following content)
{
    "idToken": [
        {
            "name": "auth_time",
            "essential": false
        }
    ],
    "accessToken": [
        {
            "name": "ipaddr",
            "essential": false
        }
    ],
    "saml2Token": [
        {
            "name": "upn",
            "essential": false
        },
        {
            "name": "extension_ab603c56068041afb2f6832e2a17e237_skypeId",
            "source": "user",
            "essential": false
        }
    ]
}

Required Parameters

--display-name

The display name of the application.

Optional Parameters

--app-roles

The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Should be JSON file path or in-line JSON string. See examples for details.

--enable-access-token-issuance

Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow.

Accepted values: false, true
--enable-id-token-issuance

Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow.

Accepted values: false, true
--end-date

Date or datetime after which credentials expire (e.g. '2017-12-31T11:59:59+00:00' or '2017-12-31'). Default value is one year after current time.

--identifier-uris

Space-separated values. Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api.

--is-fallback-public-client

Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app.

Accepted values: false, true
--key-display-name

Friendly name for the key.

--key-type

The type of the key credentials associated with the application.

Accepted values: AsymmetricX509Cert, Password, Symmetric
Default value: AsymmetricX509Cert
--key-usage

The usage of the key credentials associated with the application.

Accepted values: Sign, Verify
Default value: Verify
--key-value

The value for the key credentials associated with the application.

--optional-claims

Application developers can configure optional claims in their Microsoft Entra applications to specify the claims that are sent to their application by the Microsoft security token service. For more information, see https://learn.microsoft.com/azure/active-directory/develop/active-directory-optional-claims. Should be JSON file path or in-line JSON string. See examples for details.

--public-client-redirect-uris

Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.

--requested-access-token-version

Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.

--required-resource-accesses

Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. Should be JSON file path or in-line JSON string. See examples for details.

--service-management-reference

References application or service contact information from a Service or Asset Management database.

--sign-in-audience

Specifies the Microsoft accounts that are supported for the current application.

Accepted values: AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount
--start-date

Date or datetime at which credentials become valid (e.g. '2017-01-01T01:00:00+00:00' or '2017-01-01'). Default value is current time.

--web-home-page-url

Home page or landing page of the application.

--web-redirect-uris

Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app delete

Delete an application.

az ad app delete --id

Examples

Delete an application. (autogenerated)

az ad app delete --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app list

List applications.

For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".

az ad app list [--all]
               [--app-id]
               [--display-name]
               [--filter]
               [--identifier-uri]
               [--show-mine]

Optional Parameters

--all

List all entities, expect long delay if under a big organization.

--app-id

Application id.

--display-name

The display name of the application.

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--identifier-uri

Graph application identifier, must be in uri format.

--show-mine

List entities owned by the current user.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app show

Get the details of an application.

az ad app show --id

Examples

Get the details of an application with appId.

az ad app show --id 00000000-0000-0000-0000-000000000000

Get the details of an application with id.

az ad app show --id 00000000-0000-0000-0000-000000000000

Get the details of an application with identifier URI.

az ad app show --id api://myapp

Required Parameters

--id

Identifier uri, application id, or object id.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app update

Update an application.

az ad app update --id
                 [--add]
                 [--app-roles]
                 [--display-name]
                 [--enable-access-token-issuance {false, true}]
                 [--enable-id-token-issuance {false, true}]
                 [--end-date]
                 [--force-string]
                 [--identifier-uris]
                 [--is-fallback-public-client {false, true}]
                 [--key-display-name]
                 [--key-type {AsymmetricX509Cert, Password, Symmetric}]
                 [--key-usage {Sign, Verify}]
                 [--key-value]
                 [--optional-claims]
                 [--public-client-redirect-uris]
                 [--remove]
                 [--requested-access-token-version]
                 [--required-resource-accesses]
                 [--service-management-reference]
                 [--set]
                 [--sign-in-audience {AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount}]
                 [--start-date]
                 [--web-home-page-url]
                 [--web-redirect-uris]

Examples

Update an application with Microsoft Graph delegated permission User.Read

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --required-resource-accesses @manifest.json
("manifest.json" contains the following content)
[{
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
        {
            "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
            "type": "Scope"
        }
   ]
}]

declare an application role

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json
("manifest.json" contains the following content)
[{
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Approvers can mark documents as approved",
    "displayName": "Approver",
    "isEnabled": "true",
    "value": "approver"
}]

update optional claims

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --optional-claims @manifest.json
("manifest.json" contains the following content)
{
    "idToken": [
        {
            "name": "auth_time",
            "essential": false
        }
    ],
    "accessToken": [
        {
            "name": "ipaddr",
            "essential": false
        }
    ],
    "saml2Token": [
        {
            "name": "upn",
            "essential": false
        },
        {
            "name": "extension_ab603c56068041afb2f6832e2a17e237_skypeId",
            "source": "user",
            "essential": false
        }
    ]
}

update an application's group membership claims to "All"

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --set groupMembershipClaims=All

Required Parameters

--id

Identifier uri, application id, or object id.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

Default value: []
--app-roles

The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Should be JSON file path or in-line JSON string. See examples for details.

--display-name

The display name of the application.

--enable-access-token-issuance

Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow.

Accepted values: false, true
--enable-id-token-issuance

Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow.

Accepted values: false, true
--end-date

Date or datetime after which credentials expire (e.g. '2017-12-31T11:59:59+00:00' or '2017-12-31'). Default value is one year after current time.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Default value: False
--identifier-uris

Space-separated values. Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api.

--is-fallback-public-client

Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app.

Accepted values: false, true
--key-display-name

Friendly name for the key.

--key-type

The type of the key credentials associated with the application.

Accepted values: AsymmetricX509Cert, Password, Symmetric
Default value: AsymmetricX509Cert
--key-usage

The usage of the key credentials associated with the application.

Accepted values: Sign, Verify
Default value: Verify
--key-value

The value for the key credentials associated with the application.

--optional-claims

Application developers can configure optional claims in their Microsoft Entra applications to specify the claims that are sent to their application by the Microsoft security token service. For more information, see https://learn.microsoft.com/azure/active-directory/develop/active-directory-optional-claims. Should be JSON file path or in-line JSON string. See examples for details.

--public-client-redirect-uris

Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.

--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

Default value: []
--requested-access-token-version

Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.

--required-resource-accesses

Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. Should be JSON file path or in-line JSON string. See examples for details.

--service-management-reference

References application or service contact information from a Service or Asset Management database.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

Default value: []
--sign-in-audience

Specifies the Microsoft accounts that are supported for the current application.

Accepted values: AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount
--start-date

Date or datetime at which credentials become valid (e.g. '2017-01-01T01:00:00+00:00' or '2017-01-01'). Default value is current time.

--web-home-page-url

Home page or landing page of the application.

--web-redirect-uris

Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.