Understanding the Azure Active Directory Application Manifest - Microsoft (2023)

  • Article
  • 13 minutes to read

The application manifest contains a definition of all attributes of an application object in the Microsoft identity platform. It also serves as a mechanism for updating the application object. For more information about the application entity and its schema, see theGraph API application entity documentation.

You can configure an application's attributes through the Azure portal or programmaticallyAPI von Microsoft GraphÖSDK von PowerShell von Microsoft Graph. However, there are some scenarios where you need to edit your app's manifest to set an app's attribute. These scenarios include:

  • If you registered your app as multi-user Azure AD and personal Microsoft accounts, you cannot change the supported Microsoft accounts in the UI. Instead, you must use the app manifest editor to change the supported account type.
  • To define permissions and features supported by your app, you must modify the app's manifest.

Configure the application manifest

To configure the application manifest:

  1. Go toAzure-Portal. Find and select itAzure Active DirectoryService.
  2. Selectapplication logs.
  3. Select the app you want to configure.
  4. From appoverviewside, choose theManifestSection. A web-based manifest editor opens, allowing you to edit the manifest in the portal. Optionally you can selectTo disposeto edit the manifest locally, then useburdento reapply it to your app.

reference manifest

This section describes the attributes found in the application manifest.

attribute it

keyvalue type
I would goCorda

The unique identifier of the application in the directory. This ID is not the identifier used to identify the application in any protocol transaction. It is used to reference the object in directory queries.


"id": "f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd",

atributo acceptMappedClaims

keyvalue type
accept assigned claimsNullable boolean

As documented noapiApplication-Ressourcentyp, allows an application to use thisclaim mappingwithout specifying a custom subscription key. Applications that receive tokens rely on the claim values ​​being authoritatively issued by Azure AD and cannot be changed. However, if you change the token content through claims assignment policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that the tokens have been modified by the creator of the Claims Mapping Policy to provide protection against Claims Mapping policies created by malicious actors.


not defineaccept assigned claimsproperty forRIGHTfor multi-tenant applications that could allow malicious actors to create notification assignment policies for your application.


"accept assigned claims": true,

Attribut accessTokenAcceptedVersion

keyvalue type
accessTokenAcceptedVersionInt32 changeable

Specifies the version of the access token that the resource is expecting. This parameter changes the version and format of the generated JWT, regardless of the endpoint or client used to request the access token.

The endpoint used, v1.0 or v2.0, is chosen by the client and only affects the version of id_tokens. Resources must be explicitly configuredaccesstokenAcceptedVersionto specify the supported access token format.

Possible values ​​foraccesstokenAcceptedVersionare 1, 2 or zero. If the value is null, the default value of this parameter is 1, which corresponds to the v1.0 endpoint.

SeLoginAudienceit isAzureADePersonalMicrosoftAccount, must be the value2.


"AccesoTokenAcceptedVersion": 2,


keyvalue type

Defines custom behavior that a consuming service can use to invoke an application in specific contexts. For example, applications that can handle file streams can configure theadditionsproperty through its "FileHandler" functionality. This parameter allows services like Microsoft 365 to invoke the app in the context of a document the user is working on.


"plugins": [ { "id": "968A844F-7A47-430C-9163-07AE7C31D407", "type": "FileHandler", "properties": [ { "key": "version", "value": "2 " } ] } ],


keyvalue type

Specifies the fallback application type. Azure AD infers the application type from answerUrlsWithType by default. There are certain scenarios where Azure AD cannot determine the client application type. An example of such a scenario is theROPCStream where the HTTP request occurs without URL redirection). In these cases, Azure AD interprets the application type based on the value of this property. When this value is set to true, the fallback app type is set to Public Client, e.g. B. An installed app running on a mobile device. The default is false, which means the supporting application type is client-aware, e.g. B. a web application.


"allowPublicClient": false,


keyvalue type

Specifies the unique application ID assigned to an application by Azure AD.


"appId": "601790de-b632-4f57-9523-ee7cb6ceba95",


keyvalue type
application rolescollection

Specifies the collection of functions that an application can declare. These roles can be assigned to users, groups, or service principals. For more examples and information, seeAdd application roles to your application and get them as tokens.


"appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "Read-only access to device information", "displayName": "Read-only", "id": "601790de-b632- 4f57 - 9523- ee7cb6ceba95", "is enabled": true, "value": "Read Only" } ],

Attribute errorUrl

keyvalue type
Error URLCorda


atributo groupMembershipClaims

keyvalue type
Group Membership ClaimsCorda

Configure theThe groupClaim issued in a user access token or OAuth 2.0 that the application expects. To set this attribute, use one of the following valid string values:

  • "Neither"
  • "security group"(for Azure AD security groups and roles)
  • "application group"(this option includes only groups assigned to the application)
  • "directory role"(gets the Azure AD directory roles the user is a member of)
  • "at"(This will get all security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of.)


"groupMembershipClaims": "Security Group",


keyvalue type
optional claimsCorda

The optional claims returned in the token by the security token service for this specific application.

Currently, apps that support person accounts and Azure AD (registered through the app registration portal) can't use optional claims. However, apps registered only in Azure AD using the v2.0 endpoint can retrieve the optional claims requested in the manifest. For more information, seeoptional claims.


"optionalClaims": null,


keyvalue type
clock identifierString-Array

Custom URIs that uniquely identify a web application in its customer-owned Azure AD tenant or verified domain. When an app is used as a resource app, the value of the URI is used to uniquely identify and access the resource.

The following HTTP scheme and API-based application ID URI formats are supported. Substitute placeholder values ​​as described in the list following the table.

Supported App ID
Formed from URIs
Example App ID URI
api://<application id>api://fc4d2d73-d05a-4a9b-85a8-4f2b3a5f38ed
api://<id. Tenant>/<application tenant ID>api://a8573488-ff46-450a-b09a-6eca0c6a02dc/fc4d2d73-d05a-4a9b-85a8-4f2b3a5f38ed
api://<tenant ID>/<string>api://a8573488-ff46-450a-b09a-6eca0c6a02dc/api
api://<string>/<application id>api://productapi/fc4d2d73-d05a-4a9b-85a8-4f2b3a5f38ed
https://<verified custom domain>/<string>https://contoso.com/productsapi
https://<string>.<verified custom domain>https://product.contoso.com
https://<string>.<verified custom domain>/<string>https://product.contoso.com/productsapi
  • <application id>- The application identifier (appId) property of the application object.
  • <string>- The string value for the host or segment of the API route.
  • <Id. about the occupant- An Azure generated GUID to represent the tenant in Azure.
  • <tenantInitialDomain>-<tenantInitialDomain>.onmicrosoft.com, Where from<tenantInitialDomain>is the initial domain name that the creator of the tenant specified when creating the tenant.
  • <verified custom domain>- ANDverified custom domainconfigured for your Azure AD tenant.


If you use theapi://Scheme, add a string value right after "api://". For example,api://<string>. This string value can be a GUID or any string. If you add a GUID value, it must match the application ID or tenant ID. The App ID URI value must be unique for its tenant. if you addapi://<ID. about the occupantas App ID URI, no one else can use that URI in another app. The recommendation is to be usedapi://<application id>, instead or the HTTP scheme.


The App ID URI value cannot end with a slash "/".


"identifierUris": "https://contoso.onmicrosoft.com/fc4d2d73-d05a-4a9b-85a8-4f2b3a5f38ed",

atributo informationalUrls

keyvalue type

Include links to the app's terms of service and privacy policy. The terms of use and the privacy policy are displayed to the users via the user consent. For more information, seeHow to: Add Terms of Service and Privacy Statement for Azure AD Registered Applications.


"informationalUrls": { "termsOfService": "https://MyRegisteredApp/termsofservice", "support": "https://MyRegisteredApp/support", "privacy": "https://MyRegisteredApp/privacystatement", "marketing" : "https://MiAplicaciónRegistrada/marketing" },

atributo keyCredentials

keyvalue type

Contains references to application-assigned credentials, string-based shared secrets, and X.509 certificates. These credentials are used when requesting access tokens (when the app is acting as a client rather than a resource).


"keyCredentials": [ { "customKeyIdentifier":null, "endDate":"2018-09-13T00:00:00Z", "keyId":"<guid>", "startDate":"2017-09-12T00:00 :00Z", "tipo":"CertificadoX509Asimétrico", "uso":"Verificar", "valor":null } ],

Attribut KnownCustomersApplications

keyvalue type

Used to bundle consent when you have a solution that consists of two parts: a client application and a custom web API application. If you fill this value with the application ID of the client application, the user of the client application only has to consent once. Azure AD knows that consent to the client means implicit consent to the web API. It automatically provides the service principals for the client and the web API at the same time. The client and the web API application must be registered in the same tenant.


"apliccionesclientesconocidas": ["f7f9accf-ae0c-4d6c-b489-0a81dc1652dd"],


keyvalue type

Read-only value pointing to the CDN URL for the logo uploaded to the portal.


"logoUrl": "https://MyRegisteredAppLogo",


keyvalue type
Unsubscribe URLCorda

The URL to exit the application.


"logoutUrl": "https://MyRegisteredAppLogout",

name attribute

keyvalue type

The display name of the application.


"name": "Myregistered application",

atributo oauth2AllowImplicitFlow

keyvalue type

Indicates whether this web application can request implicit OAuth2.0 flow access tokens. The default is false. This flag is used for browser-based applications, e.g. B. Single-page JavaScript applications. To learn more, enterOAuth 2.0 impliziter Grant-Flowin the table of contents and see the implicit flow topics.


"oauth2AllowImplicitFlow": falso,

Attribut oauth2AllowIdTokenImplicitFlow

keyvalue type

Indicates whether this web application can request OAuth2.0 implicit flow ID tokens. The default is false. This flag is used for browser-based applications, e.g. B. Single-page JavaScript applications.


"oauth2AllowIdTokenImplicitFlow": falso,

Attribut oauth2Permisos

keyvalue type

Specifies the collection of OAuth 2.0 permission scopes that the Web API application (resource) exposes to client applications. These permission scopes can be granted to client applications during consent.


"oauth2Permissions": [ { "adminConsentDescription": "Allow application to access resources on behalf of logged-in user", "adminConsentDisplayName": "Access to resource1", "id": "<guid>", "isEnabled" : true, "type": "User", "userConsentDescription": "Allow application to access resource1 on your behalf"., "userConsentDisplayName": "Access resource", "value": "user_impersonation" } ],


keyvalue type

Specifies whether Azure AD allows POST requests instead of GET requests as part of OAuth 2.0 token requests. The default is false, which indicates that only GET requests are allowed.


"oauth2RequirePostResponse": false,

Attribut parentControlSettings

keyvalue type
Settings for parentsCorda
  • CountriesBlockedForMinoresSpecifies the countries/regions where the app is protected for children.
  • statutory age group regulationindicates the legal age rule that applies to users of the application. can be adjustedTo allow,RequireConsentForPrivacyServices,RequireConsentFor Minors,RequireConsentForChildren, ÖBlocoMinores.


"parentalControlSettings": { "countriesBlockedForMinors": [], "legalAgeGroupRule": "Permission" },

atributo passwordCredentials

keyvalue type

See the description ofkeycredentialsProperty.


"passwordCredentials": [ { "customKeyIdentifier": null, "endDate": "2018-10-19T17:59:59.6521653Z", "keyId": "<guid>", "startDate": "2016-10-19T17: 59:59.6521653Z", "valor":null } ],


keyvalue type
pre-authorized applicationscollection

Lists the apps and permissions requested for tacit consent. Requires that an admin of the app has consented. preAuthorizedApplications does not require the user to accept the requested permissions. Permissions listed under Pre-authorized Applications do not require user consent. However, any additional permissions requested that are not included in the list of pre-authorized applications require user consent.


"Preauthorized Applications": [ { "appId": "abcdefg2-000a-1111-a0e5-812ed8dd72e8", "permissionIds": [ "8748f7db-21fe-4c83-8ab5-53033933c8f1" ] } ],


keyvalue type

The verified publisher's domain for the app. read-only.


"publisherDomain": "{inquilino}.onmicrosoft.com",

Attribut answerUrlsWithType

keyvalue type
entered reply urlcollection

This multi-valued property contains the list of registered "redirect_uri" values ​​that Azure AD accepts as destinations when returning tokens. Each URI value must contain an associated application type value. The supported type values ​​are:

  • Rot
  • client installed
  • Spa

For more information, seeReply URL Constraints and Restrictions.


"replyUrlsWithType": [ { "url": "https://localhost:4400/services/office365/redirectTarget.html", "type": "InstalledClient" } ],

required attributeResourceAccess

keyvalue type

With dynamic consent,requeridoResourceAccessImproves the admin consent experience and the user consent experience for users using static consent. However, this parameter does not control the user consent experience for the general case.

  • resourceAppIdis the unique identifier of the resource to which the application needs access. This value must match the appId declared in the target resource application.
  • resource accessis an array listing the OAuth2.0 permission scopes and application roles that the application needs for the given resource. contains theI would gomiwritesspecified resource values.


"requiredResourceAccess": [ { "resourceAppId": "00000002-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6", "tipo": "Alcance " } ] } ],

samlMetadataUrl Attribute

keyvalue type
saml metadata urlCorda

The SAML metadata URL of the application.


"samlMetadataUrl": "https://MiAplicaciónRegistradaSAMLMetadata",


keyvalue type
Review URLCorda

Specifies the URL of the application's home page.


"signInUrl": "https://MiAplicaciónRegistrada",

atributo signInAudience

keyvalue type

Indicates which Microsoft accounts are compatible with the current app. The supported values ​​are:

  • AzureADMyOrg- Users with a Microsoft work or school account in my organization's Azure AD tenant (e.g., single tenant)
  • AzureADMultipleOrgs- Users with a Microsoft work or school account in any organization's Azure AD tenant (e.g. multi-tenant)
  • AzureADePersonalMicrosoftAccount- Users with a personal Microsoft account or a work or school account in any organization's Azure AD tenant
  • Personal Microsoft account- Personal accounts to log into services like Xbox and Skype.


"signInAudience": "Azure AD and personal Microsoft account",

tag attribute

keyvalue type

Custom strings that can be used to categorize and identify the application.


"tags": ["production application"],

general problems

obvious limits

An application manifest has several attributes called collections; B. appRoles, keyCredentials, unknownClientApplications, identifierUris, redirectUris, requiredResourceAccess and oauth2Permissions. In the full app manifest for each app, the total number of entries in all collections combined was limited to 1,200. Pre-specifying 100 redirect URIs in the app manifest leaves only 1,100 entries that can be used across all other collections together make up the manifest.


If you try to add more than 1200 entries to your app manifest, you might get an error"Error updating application xxxxxx. Error details: The manifest size has exceeded its limit. Please reduce the number of values ​​and try your request again."

unsupported attributes

The application manifest represents the underlying application model schema in Azure AD. As the underlying schema evolves, the manifest editor will be updated from time to time to reflect the new schema. As a result, you may find that new attributes appear in your app's manifest. On rare occasions, you may notice a syntactic or semantic change to existing attributes, or you may notice that an existing attribute is no longer supported. For example, you can see new attributes in theapplication logs, known by a different name in the app registration experience (legacy).

Application Logs (Legacy)application logs
available to other tenantsLoginAudience
display nameName
Error URL-
main pageReview URL
object identificationidentity
public customerAllowPublicClient
Reply URLentered reply url

For descriptions of these attributes, seemanifest referenceSection.

When attempting to load a previously downloaded manifest, you may see one of the following errors. This error is likely caused because the manifest editor now supports a newer version of the schema that doesn't match the version you're trying to load.

  • "Error updating application xxxxxx. Error detail: Invalid object identifier 'undefined'. []."
  • "Error updating application xxxxxx. Error Details: At least one specified property value is invalid. []."
  • "Application xxxxxx could not be updated. Error Detail: Setting availableToOtherTenants is not allowed in this API version for update. []."
  • "Application xxxxxx could not be updated. Error Detail: Updates to the 'replyUrls' property are not allowed for this application. Please use the 'replyUrlsWithType' property instead. []."
  • "Application xxxxxx could not be updated. Error Detail: A value was found without a type name and no expected type is available. If the template is specified, each value in the payload must have a type, which can be specified in the payload either explicitly by the caller or implicitly derived from the parent value.[]"

If you see any of these errors, we recommend the following actions:

  1. Edit the attributes individually in the manifest editor instead of uploading a previously downloaded manifest. Use themanifest referenceTable to understand the syntax and semantics of the old and new attributes so you can properly edit the attributes that are important to you.
  2. If your workflow requires you to store manifests in your source repository for later use, we recommend that you rebuild the manifests stored in your repository with what you see in the fileapplication logsExperience.

Next Steps

  • For more information about the relationship between an application's application and service principal objects, seeCore application and service objects in Azure AD.
  • Watch themMicrosoft identity platform developer glossaryfor definitions of some basic Microsoft identity platform developer concepts.

Please use the comments section below to provide feedback to refine and shape our content.


Top Articles
Latest Posts
Article information

Author: Tyson Zemlak

Last Updated: 28/10/2023

Views: 5660

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.