Create an enterprise application from a multi-tenant application in Azure Active Directory

In this article, you'll learn how to create an enterprise application in your tenant using the client ID for a multi-tenant application. An enterprise application refers to a service principal within a tenant. The service principal discussed in this article is the local representation, or application instance, of a global application object in a single tenant or directory.

Before you proceed to add the application using any of these options, check whether the enterprise application is already in your tenant by attempting to sign in to the application. If the sign-in is successful, the enterprise application already exists in your tenant.

If you have verified that the application isn't in your tenant, proceed with any of the following ways to add the enterprise application to your tenant.

Prerequisites

To add an enterprise application to your Azure AD tenant, you need:

  • An Azure AD user account. If you don't already have one, you can Create an account for free.
  • One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.
  • The client ID (also called appId in Microsoft Graph) of the multi-tenant application.

Create an enterprise application

If you've been provided with the admin consent URL, navigate to the URL through a web browser to grant tenant-wide admin consent to the application. Granting tenant-wide admin consent to the application will add it to your tenant. The tenant-wide admin consent URL has the following format:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=248e869f-0e5c-484d-b5ea1fba9563df41&redirect_uri=https://www.your-app-url.com

where:

  • {client-id} is the application's client ID (also known as appId).
  1. Run connect-MgGraph -Scopes "Application.ReadWrite.All" and sign in with a Global Admin user account.

  2. Run the following command to create the enterprise application:

    New-MgServicePrincipal -AppId fc876dd1-6bcb-4304-b9b6-18ddf1526b62
    
  3. To delete the enterprise application you created, run the command:

    Remove-MgServicePrincipal
       -ServicePrincipalId <objectID>
    

You can use an API client such as Graph Explorer to work with Microsoft Graph.

  1. Grant the client app the Application.ReadWrite.All permission.

  2. To create the enterprise application, run the following query. The appId is the client ID of the application.

    POST https://graph.microsoft.com/v1.0/servicePrincipals
    Content-type: application/json
    
    {
      "appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
    }
    
    
  3. To delete the enterprise application you created, run the query.

    DELETE https://graph.microsoft.com/v1.0/servicePrincipals(appId='fc876dd1-6bcb-4304-b9b6-18ddf1526b62')
    
  1. To create the enterprise application, run the following command:

    az ad sp create --id fc876dd1-6bcb-4304-b9b6-18ddf1526b62
    
  2. To delete the enterprise application you created, run the command:

    az ad sp delete --id
    

Next steps