Understanding the Azure Active Directory Application Manifest - Microsoft (2023)

The application manifest contains a definition of all attributes of an application object in the Microsoft identity platform. It also serves as a mechanism for updating the application object. For more information about the application entity and its schema, see theGraph API application entity documentation.

You can configure an application's attributes through the Azure portal or programmaticallyAPI von Microsoft GraphÖSDK von PowerShell von Microsoft Graph. However, there are some scenarios where you need to edit your app's manifest to set an app's attribute. These scenarios include:

• If you registered your app as multi-user Azure AD and personal Microsoft accounts, you cannot change the supported Microsoft accounts in the UI. Instead, you must use the app manifest editor to change the supported account type.
• To define permissions and features supported by your app, you must modify the app's manifest.

Configure the application manifest

To configure the application manifest:

1. Go toAzure-Portal. Find and select itAzure Active DirectoryService.
2. Selectapplication logs.
3. Select the app you want to configure.
4. From appoverviewside, choose theManifestSection. A web-based manifest editor opens, allowing you to edit the manifest in the portal. Optionally you can selectTo disposeto edit the manifest locally, then useburdento reapply it to your app.

reference manifest

This section describes the attributes found in the application manifest.

attribute it

The unique identifier of the application in the directory. This ID is not the identifier used to identify the application in any protocol transaction. It is used to reference the object in directory queries.

Example:

"id": "f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd",

atributo acceptMappedClaims

As documented noapiApplication-Ressourcentyp, allows an application to use thisclaim mappingwithout specifying a custom subscription key. Applications that receive tokens rely on the claim values ​​being authoritatively issued by Azure AD and cannot be changed. However, if you change the token content through claims assignment policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that the tokens have been modified by the creator of the Claims Mapping Policy to provide protection against Claims Mapping policies created by malicious actors.

Example:

"accept assigned claims": true,

Attribut accessTokenAcceptedVersion

Specifies the version of the access token that the resource is expecting. This parameter changes the version and format of the generated JWT, regardless of the endpoint or client used to request the access token.

The endpoint used, v1.0 or v2.0, is chosen by the client and only affects the version of id_tokens. Resources must be explicitly configuredaccesstokenAcceptedVersionto specify the supported access token format.

Possible values ​​foraccesstokenAcceptedVersionare 1, 2 or zero. If the value is null, the default value of this parameter is 1, which corresponds to the v1.0 endpoint.

SeLoginAudienceit isAzureADePersonalMicrosoftAccount, must be the value2.

Example:

"AccesoTokenAcceptedVersion": 2,

plugins-Attribut

Defines custom behavior that a consuming service can use to invoke an application in specific contexts. For example, applications that can handle file streams can configure theadditionsproperty through its "FileHandler" functionality. This parameter allows services like Microsoft 365 to invoke the app in the context of a document the user is working on.

Example:

"plugins": [ { "id": "968A844F-7A47-430C-9163-07AE7C31D407", "type": "FileHandler", "properties": [ { "key": "version", "value": "2 " } ] } ],

allowPublicClient-Attribut

Specifies the fallback application type. Azure AD infers the application type from answerUrlsWithType by default. There are certain scenarios where Azure AD cannot determine the client application type. An example of such a scenario is theROPCStream where the HTTP request occurs without URL redirection). In these cases, Azure AD interprets the application type based on the value of this property. When this value is set to true, the fallback app type is set to Public Client, e.g. B. An installed app running on a mobile device. The default is false, which means the supporting application type is client-aware, e.g. B. a web application.

Example:

"allowPublicClient": false,

appId-Attribut

Specifies the unique application ID assigned to an application by Azure AD.

Example:

"appId": "601790de-b632-4f57-9523-ee7cb6ceba95",

appRoles-Attribute

Specifies the collection of functions that an application can declare. These roles can be assigned to users, groups, or service principals. For more examples and information, seeAdd application roles to your application and get them as tokens.

Example:

"appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "Read-only access to device information", "displayName": "Read-only", "id": "601790de-b632- 4f57 - 9523- ee7cb6ceba95", "is enabled": true, "value": "Read Only" } ],

Attribute errorUrl

Unsupported.

atributo groupMembershipClaims

Configure theThe groupClaim issued in a user access token or OAuth 2.0 that the application expects. To set this attribute, use one of the following valid string values:

• "Neither"
• "security group"(for Azure AD security groups and roles)
• "application group"(this option includes only groups assigned to the application)
• "directory role"(gets the Azure AD directory roles the user is a member of)
• "at"(This will get all security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of.)

Example:

"groupMembershipClaims": "Security Group",

optionalClaims-Attribut

The optional claims returned in the token by the security token service for this specific application.

Currently, apps that support person accounts and Azure AD (registered through the app registration portal) can't use optional claims. However, apps registered only in Azure AD using the v2.0 endpoint can retrieve the optional claims requested in the manifest. For more information, seeoptional claims.

Example:

"optionalClaims": null,

identifierUris-Attribut

Custom URIs that uniquely identify a web application in its customer-owned Azure AD tenant or verified domain. When an app is used as a resource app, the value of the URI is used to uniquely identify and access the resource.

The following HTTP scheme and API-based application ID URI formats are supported. Substitute placeholder values ​​as described in the list following the table.

• <application id>- The application identifier (appId) property of the application object.
• <string>- The string value for the host or segment of the API route.
• <Id. about the occupant- An Azure generated GUID to represent the tenant in Azure.
• <tenantInitialDomain>-<tenantInitialDomain>.onmicrosoft.com, Where from<tenantInitialDomain>is the initial domain name that the creator of the tenant specified when creating the tenant.
• <verified custom domain>- ANDverified custom domainconfigured for your Azure AD tenant.

Example:

"identifierUris": "https://contoso.onmicrosoft.com/fc4d2d73-d05a-4a9b-85a8-4f2b3a5f38ed",

atributo informationalUrls

Include links to the app's terms of service and privacy policy. The terms of use and the privacy policy are displayed to the users via the user consent. For more information, seeHow to: Add Terms of Service and Privacy Statement for Azure AD Registered Applications.

Example:

"informationalUrls": { "termsOfService": "https://MyRegisteredApp/termsofservice", "support": "https://MyRegisteredApp/support", "privacy": "https://MyRegisteredApp/privacystatement", "marketing" : "https://MiAplicaciónRegistrada/marketing" },

atributo keyCredentials

Contains references to application-assigned credentials, string-based shared secrets, and X.509 certificates. These credentials are used when requesting access tokens (when the app is acting as a client rather than a resource).

Example:

"keyCredentials": [ { "customKeyIdentifier":null, "endDate":"2018-09-13T00:00:00Z", "keyId":"<guid>", "startDate":"2017-09-12T00:00 :00Z", "tipo":"CertificadoX509Asimétrico", "uso":"Verificar", "valor":null } ],

Attribut KnownCustomersApplications

Used to bundle consent when you have a solution that consists of two parts: a client application and a custom web API application. If you fill this value with the application ID of the client application, the user of the client application only has to consent once. Azure AD knows that consent to the client means implicit consent to the web API. It automatically provides the service principals for the client and the web API at the same time. The client and the web API application must be registered in the same tenant.

Example:

"apliccionesclientesconocidas": ["f7f9accf-ae0c-4d6c-b489-0a81dc1652dd"],

logoUrl-Attribut

Read-only value pointing to the CDN URL for the logo uploaded to the portal.

Example:

"logoUrl": "https://MyRegisteredAppLogo",

logoutUrl-Attribut

The URL to exit the application.

Example:

"logoutUrl": "https://MyRegisteredAppLogout",

name attribute

The display name of the application.

Example:

"name": "Myregistered application",

atributo oauth2AllowImplicitFlow

Indicates whether this web application can request implicit OAuth2.0 flow access tokens. The default is false. This flag is used for browser-based applications, e.g. B. Single-page JavaScript applications. To learn more, enterOAuth 2.0 impliziter Grant-Flowin the table of contents and see the implicit flow topics.

Example:

"oauth2AllowImplicitFlow": falso,

Attribut oauth2AllowIdTokenImplicitFlow

Indicates whether this web application can request OAuth2.0 implicit flow ID tokens. The default is false. This flag is used for browser-based applications, e.g. B. Single-page JavaScript applications.

Example:

"oauth2AllowIdTokenImplicitFlow": falso,

Attribut oauth2Permisos

Specifies the collection of OAuth 2.0 permission scopes that the Web API application (resource) exposes to client applications. These permission scopes can be granted to client applications during consent.

Example:

"oauth2Permissions": [ { "adminConsentDescription": "Allow application to access resources on behalf of logged-in user", "adminConsentDisplayName": "Access to resource1", "id": "<guid>", "isEnabled" : true, "type": "User", "userConsentDescription": "Allow application to access resource1 on your behalf"., "userConsentDisplayName": "Access resource", "value": "user_impersonation" } ],

oauth2RequiredPostResponse-Attribut

Specifies whether Azure AD allows POST requests instead of GET requests as part of OAuth 2.0 token requests. The default is false, which indicates that only GET requests are allowed.

Example:

"oauth2RequirePostResponse": false,

Attribut parentControlSettings

• CountriesBlockedForMinoresSpecifies the countries/regions where the app is protected for children.
• statutory age group regulationindicates the legal age rule that applies to users of the application. can be adjustedTo allow,RequireConsentForPrivacyServices,RequireConsentFor Minors,RequireConsentForChildren, ÖBlocoMinores.

Example:

"parentalControlSettings": { "countriesBlockedForMinors": [], "legalAgeGroupRule": "Permission" },

atributo passwordCredentials

See the description ofkeycredentialsProperty.

Example:

"passwordCredentials": [ { "customKeyIdentifier": null, "endDate": "2018-10-19T17:59:59.6521653Z", "keyId": "<guid>", "startDate": "2016-10-19T17: 59:59.6521653Z", "valor":null } ],

preAuthorizedApplications-Attribut

Lists the apps and permissions requested for tacit consent. Requires that an admin of the app has consented. preAuthorizedApplications does not require the user to accept the requested permissions. Permissions listed under Pre-authorized Applications do not require user consent. However, any additional permissions requested that are not included in the list of pre-authorized applications require user consent.

Example:

"Preauthorized Applications": [ { "appId": "abcdefg2-000a-1111-a0e5-812ed8dd72e8", "permissionIds": [ "8748f7db-21fe-4c83-8ab5-53033933c8f1" ] } ],

domaineditor-Attribute

The verified publisher's domain for the app. read-only.

Example:

"publisherDomain": "{inquilino}.onmicrosoft.com",

Attribut answerUrlsWithType

This multi-valued property contains the list of registered "redirect_uri" values ​​that Azure AD accepts as destinations when returning tokens. Each URI value must contain an associated application type value. The supported type values ​​are:

• Rot
• client installed
• Spa

For more information, seeReply URL Constraints and Restrictions.

Example:

"replyUrlsWithType": [ { "url": "https://localhost:4400/services/office365/redirectTarget.html", "type": "InstalledClient" } ],

required attributeResourceAccess

With dynamic consent,requeridoResourceAccessImproves the admin consent experience and the user consent experience for users using static consent. However, this parameter does not control the user consent experience for the general case.

• resourceAppIdis the unique identifier of the resource to which the application needs access. This value must match the appId declared in the target resource application.
• resource accessis an array listing the OAuth2.0 permission scopes and application roles that the application needs for the given resource. contains theI would gomiwritesspecified resource values.

Example:

"requiredResourceAccess": [ { "resourceAppId": "00000002-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6", "tipo": "Alcance " } ] } ],

samlMetadataUrl Attribute

The SAML metadata URL of the application.

Example:

"samlMetadataUrl": "https://MiAplicaciónRegistradaSAMLMetadata",

signInUrl-Attribut

Specifies the URL of the application's home page.

Example:

"signInUrl": "https://MiAplicaciónRegistrada",

atributo signInAudience

Indicates which Microsoft accounts are compatible with the current app. The supported values ​​are:

• AzureADMyOrg- Users with a Microsoft work or school account in my organization's Azure AD tenant (e.g., single tenant)
• AzureADMultipleOrgs- Users with a Microsoft work or school account in any organization's Azure AD tenant (e.g. multi-tenant)
• AzureADePersonalMicrosoftAccount- Users with a personal Microsoft account or a work or school account in any organization's Azure AD tenant
• Personal Microsoft account- Personal accounts to log into services like Xbox and Skype.

Example:

"signInAudience": "Azure AD and personal Microsoft account",

tag attribute

Custom strings that can be used to categorize and identify the application.

Example:

"tags": ["production application"],

general problems

obvious limits

An application manifest has several attributes called collections; B. appRoles, keyCredentials, unknownClientApplications, identifierUris, redirectUris, requiredResourceAccess and oauth2Permissions. In the full app manifest for each app, the total number of entries in all collections combined was limited to 1,200. Pre-specifying 100 redirect URIs in the app manifest leaves only 1,100 entries that can be used across all other collections together make up the manifest.

unsupported attributes

The application manifest represents the underlying application model schema in Azure AD. As the underlying schema evolves, the manifest editor will be updated from time to time to reflect the new schema. As a result, you may find that new attributes appear in your app's manifest. On rare occasions, you may notice a syntactic or semantic change to existing attributes, or you may notice that an existing attribute is no longer supported. For example, you can see new attributes in theapplication logs, known by a different name in the app registration experience (legacy).

For descriptions of these attributes, seemanifest referenceSection.

When attempting to load a previously downloaded manifest, you may see one of the following errors. This error is likely caused because the manifest editor now supports a newer version of the schema that doesn't match the version you're trying to load.

• "Error updating application xxxxxx. Error detail: Invalid object identifier 'undefined'. []."
• "Error updating application xxxxxx. Error Details: At least one specified property value is invalid. []."
• "Application xxxxxx could not be updated. Error Detail: Setting availableToOtherTenants is not allowed in this API version for update. []."
• "Application xxxxxx could not be updated. Error Detail: Updates to the 'replyUrls' property are not allowed for this application. Please use the 'replyUrlsWithType' property instead. []."
• "Application xxxxxx could not be updated. Error Detail: A value was found without a type name and no expected type is available. If the template is specified, each value in the payload must have a type, which can be specified in the payload either explicitly by the caller or implicitly derived from the parent value.[]"

If you see any of these errors, we recommend the following actions:

1. Edit the attributes individually in the manifest editor instead of uploading a previously downloaded manifest. Use themanifest referenceTable to understand the syntax and semantics of the old and new attributes so you can properly edit the attributes that are important to you.
2. If your workflow requires you to store manifests in your source repository for later use, we recommend that you rebuild the manifests stored in your repository with what you see in the fileapplication logsExperience.

Next Steps

• For more information about the relationship between an application's application and service principal objects, seeCore application and service objects in Azure AD.
• Watch themMicrosoft identity platform developer glossaryfor definitions of some basic Microsoft identity platform developer concepts.

Please use the comments section below to provide feedback to refine and shape our content.