az ad app
Manage Microsoft Entra applications.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az ad app create |
Create an application. |
Core | GA |
| az ad app credential |
Manage an application's password or certificate credentials. |
Core | GA |
| az ad app credential delete |
Delete an application's password or certificate credentials. |
Core | GA |
| az ad app credential list |
List an application's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.). |
Core | GA |
| az ad app credential reset |
Reset an application's password or certificate credentials. |
Core | GA |
| az ad app delete |
Delete an application. |
Core | GA |
| az ad app federated-credential |
Manage application federated identity credentials. |
Core | GA |
| az ad app federated-credential create |
Create application federated identity credential. |
Core | GA |
| az ad app federated-credential delete |
Delete application federated identity credential. |
Core | GA |
| az ad app federated-credential list |
List application federated identity credentials. |
Core | GA |
| az ad app federated-credential show |
Show application federated identity credential. |
Core | GA |
| az ad app federated-credential update |
Update application federated identity credential. |
Core | GA |
| az ad app list |
List applications. |
Core | GA |
| az ad app owner |
Manage application owners. |
Core | GA |
| az ad app owner add |
Add an application owner. |
Core | GA |
| az ad app owner list |
List application owners. |
Core | GA |
| az ad app owner remove |
Remove an application owner. |
Core | GA |
| az ad app permission |
Manage an application's OAuth2 permissions. |
Core | GA |
| az ad app permission add |
Add an API permission. |
Core | GA |
| az ad app permission admin-consent |
Grant Application & Delegated permissions through admin-consent. |
Core | GA |
| az ad app permission delete |
Remove an API permission. |
Core | GA |
| az ad app permission grant |
Grant the app an API Delegated permissions. |
Core | GA |
| az ad app permission list |
List API permissions the application has requested. |
Core | GA |
| az ad app permission list-grants |
List Oauth2 permission grants. |
Core | GA |
| az ad app show |
Get the details of an application. |
Core | GA |
| az ad app update |
Update an application. |
Core | GA |
az ad app create
Create an application.
For more detailed documentation, see https://learn.microsoft.com/graph/api/resources/application.
az ad app create --display-name
[--app-roles]
[--enable-access-token-issuance {false, true}]
[--enable-id-token-issuance {false, true}]
[--end-date]
[--identifier-uris]
[--is-fallback-public-client {false, true}]
[--key-display-name]
[--key-type {AsymmetricX509Cert, Password, Symmetric}]
[--key-usage {Sign, Verify}]
[--key-value]
[--optional-claims]
[--public-client-redirect-uris]
[--requested-access-token-version]
[--required-resource-accesses]
[--service-management-reference]
[--sign-in-audience {AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount}]
[--start-date]
[--web-home-page-url]
[--web-redirect-uris]Examples
Create an application.
az ad app create --display-name mytestappCreate an application that can fall back to public client with Microsoft Graph delegated permission User.Read
az ad app create --display-name my-public --is-fallback-public-client --required-resource-accesses @manifest.json
("manifest.json" contains the following content)
[{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}]Create an application with a role
az ad app create --display-name mytestapp --identifier-uris https://mytestapp.websites.net --app-roles @manifest.json
("manifest.json" contains the following content)
[{
"allowedMemberTypes": [
"User"
],
"description": "Approvers can mark documents as approved",
"displayName": "Approver",
"isEnabled": "true",
"value": "approver"
}]Create an application with optional claims
az ad app create --display-name mytestapp --optional-claims @manifest.json
("manifest.json" contains the following content)
{
"idToken": [
{
"name": "auth_time",
"essential": false
}
],
"accessToken": [
{
"name": "ipaddr",
"essential": false
}
],
"saml2Token": [
{
"name": "upn",
"essential": false
},
{
"name": "extension_ab603c56068041afb2f6832e2a17e237_skypeId",
"source": "user",
"essential": false
}
]
}Required Parameters
The display name of the application.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Should be JSON file path or in-line JSON string. See examples for details.
| Property | Value |
|---|---|
| Parameter group: | JSON property Arguments |
Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
| Accepted values: | false, true |
Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
| Accepted values: | false, true |
Date or datetime after which credentials expire (e.g. '2017-12-31T11:59:59+00:00' or '2017-12-31'). Default value is one year after current time.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
Space-separated values. Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api.
Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app.
| Property | Value |
|---|---|
| Accepted values: | false, true |
Friendly name for the key.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
The type of the key credentials associated with the application.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
| Default value: | AsymmetricX509Cert |
| Accepted values: | AsymmetricX509Cert, Password, Symmetric |
The usage of the key credentials associated with the application.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
| Default value: | Verify |
| Accepted values: | Sign, Verify |
The value for the key credentials associated with the application.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
Application developers can configure optional claims in their Microsoft Entra applications to specify the claims that are sent to their application by the Microsoft security token service. For more information, see https://learn.microsoft.com/azure/active-directory/develop/active-directory-optional-claims. Should be JSON file path or in-line JSON string. See examples for details.
| Property | Value |
|---|---|
| Parameter group: | JSON property Arguments |
Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
| Property | Value |
|---|---|
| Parameter group: | publicClient Arguments |
Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.
| Property | Value |
|---|---|
| Parameter group: | api Arguments |
Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. Should be JSON file path or in-line JSON string. See examples for details.
| Property | Value |
|---|---|
| Parameter group: | JSON property Arguments |
References application or service contact information from a Service or Asset Management database.
Specifies the Microsoft accounts that are supported for the current application.
| Property | Value |
|---|---|
| Accepted values: | AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount |
Date or datetime at which credentials become valid (e.g. '2017-01-01T01:00:00+00:00' or '2017-01-01'). Default value is current time.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
Home page or landing page of the application.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az ad app delete
Delete an application.
az ad app delete --idExamples
Delete an application. (autogenerated)
az ad app delete --id 00000000-0000-0000-0000-000000000000Required Parameters
Identifier uri, application id, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az ad app list
List applications.
For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".
az ad app list [--all]
[--app-id]
[--display-name]
[--filter]
[--identifier-uri]
[--show-mine]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
List all entities, expect long delay if under a big organization.
Application id.
The display name of the application.
OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".
Graph application identifier, must be in uri format.
List entities owned by the current user.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az ad app show
Get the details of an application.
az ad app show --idExamples
Get the details of an application with appId.
az ad app show --id 00000000-0000-0000-0000-000000000000Get the details of an application with id.
az ad app show --id 00000000-0000-0000-0000-000000000000Get the details of an application with identifier URI.
az ad app show --id api://myappRequired Parameters
Identifier uri, application id, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az ad app update
Update an application.
az ad app update --id
[--add]
[--app-roles]
[--display-name]
[--enable-access-token-issuance {false, true}]
[--enable-id-token-issuance {false, true}]
[--end-date]
[--force-string]
[--identifier-uris]
[--is-fallback-public-client {false, true}]
[--key-display-name]
[--key-type {AsymmetricX509Cert, Password, Symmetric}]
[--key-usage {Sign, Verify}]
[--key-value]
[--optional-claims]
[--public-client-redirect-uris]
[--remove]
[--requested-access-token-version]
[--required-resource-accesses]
[--service-management-reference]
[--set]
[--sign-in-audience {AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount}]
[--start-date]
[--web-home-page-url]
[--web-redirect-uris]Examples
Update an application with Microsoft Graph delegated permission User.Read
az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --required-resource-accesses @manifest.json
("manifest.json" contains the following content)
[{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}]declare an application role
az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json
("manifest.json" contains the following content)
[{
"allowedMemberTypes": [
"User"
],
"description": "Approvers can mark documents as approved",
"displayName": "Approver",
"isEnabled": "true",
"value": "approver"
}]update optional claims
az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --optional-claims @manifest.json
("manifest.json" contains the following content)
{
"idToken": [
{
"name": "auth_time",
"essential": false
}
],
"accessToken": [
{
"name": "ipaddr",
"essential": false
}
],
"saml2Token": [
{
"name": "upn",
"essential": false
},
{
"name": "extension_ab603c56068041afb2f6832e2a17e237_skypeId",
"source": "user",
"essential": false
}
]
}update an application's group membership claims to "All"
az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --set groupMembershipClaims=AllRequired Parameters
Identifier uri, application id, or object id.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Default value: | [] |
The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Should be JSON file path or in-line JSON string. See examples for details.
| Property | Value |
|---|---|
| Parameter group: | JSON property Arguments |
The display name of the application.
Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
| Accepted values: | false, true |
Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
| Accepted values: | false, true |
Date or datetime after which credentials expire (e.g. '2017-12-31T11:59:59+00:00' or '2017-12-31'). Default value is one year after current time.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Default value: | False |
Space-separated values. Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api.
Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app.
| Property | Value |
|---|---|
| Accepted values: | false, true |
Friendly name for the key.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
The type of the key credentials associated with the application.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
| Default value: | AsymmetricX509Cert |
| Accepted values: | AsymmetricX509Cert, Password, Symmetric |
The usage of the key credentials associated with the application.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
| Default value: | Verify |
| Accepted values: | Sign, Verify |
The value for the key credentials associated with the application.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
Application developers can configure optional claims in their Microsoft Entra applications to specify the claims that are sent to their application by the Microsoft security token service. For more information, see https://learn.microsoft.com/azure/active-directory/develop/active-directory-optional-claims. Should be JSON file path or in-line JSON string. See examples for details.
| Property | Value |
|---|---|
| Parameter group: | JSON property Arguments |
Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
| Property | Value |
|---|---|
| Parameter group: | publicClient Arguments |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Default value: | [] |
Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.
| Property | Value |
|---|---|
| Parameter group: | api Arguments |
Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. Should be JSON file path or in-line JSON string. See examples for details.
| Property | Value |
|---|---|
| Parameter group: | JSON property Arguments |
References application or service contact information from a Service or Asset Management database.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Default value: | [] |
Specifies the Microsoft accounts that are supported for the current application.
| Property | Value |
|---|---|
| Accepted values: | AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount |
Date or datetime at which credentials become valid (e.g. '2017-01-01T01:00:00+00:00' or '2017-01-01'). Default value is current time.
| Property | Value |
|---|---|
| Parameter group: | keyCredential Arguments |
Home page or landing page of the application.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
Space-separated values. Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
| Property | Value |
|---|---|
| Parameter group: | web Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
