Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn how to create an enterprise application in your tenant using the client ID for a multitenant application. An enterprise application refers to a service principal within a tenant. The service principal discussed in this article is the local representation, or application instance, of a global application object in a single tenant or directory.
Before you proceed to add the application using any of these options, check whether the enterprise application is already in your tenant by attempting to sign in to the application. If the sign-in is successful, the enterprise application already exists in your tenant.
If you verify that the application isn't in your tenant, proceed with any of the following ways to add the enterprise application to your tenant.
Prerequisites
To add an enterprise application to your Microsoft Entra tenant, you need:
- A Microsoft Entra user account. If you don't already have one, you can Create an account for free.
- One of the following roles: Cloud Application Administrator, or Application Administrator.
- The client ID (also called appId in Microsoft Graph) of the multitenant application.
Create an enterprise application
If you're provided with the admin consent URL, navigate to the URL through a web browser to grant tenant-wide admin consent to the application. Granting tenant-wide admin consent to the application adds it to your tenant. The tenant-wide admin consent URL has the following format:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=248e869f-0e5c-484d-b5ea1fba9563df41&redirect_uri=https://www.your-app-url.com
Where:
{client-id}is the application's client ID (also known as appId).
Note
If you're attempting to use an enterprise application, and the service principal isn't yet created in your tenant, Microsoft Entra responds with a (401) Unauthorized error stating: "The client application {appId} is missing a service principal in the tenant {tenantId}." To resolve this, performing consent with the admin consent URL as mentioned earlier instantiates the service principal in your tenant and resolve the issue.
Run
connect-MgGraph -Scopes "Application.ReadWrite.All"and sign in with at least a Cloud Application Administrator role.Run the following command to create the enterprise application:
New-MgServicePrincipal -AppId 00001111-aaaa-2222-bbbb-3333cccc4444To delete the enterprise application you created, run the command:
Remove-MgServicePrincipal -ServicePrincipalId bbbbbbbb-1111-2222-3333-cccccccccccc
You can use an API client such as Graph Explorer to work with Microsoft Graph.
Grant the client app the
Application.ReadWrite.Allpermission.To create the enterprise application, run the following query. The appId is the client ID of the application.
POST https://graph.microsoft.com/v1.0/servicePrincipals Content-type: application/json { "appId": "00001111-aaaa-2222-bbbb-3333cccc4444" }To delete the enterprise application you created, run the query.
DELETE https://graph.microsoft.com/v1.0/servicePrincipals(appId='00001111-aaaa-2222-bbbb-3333cccc4444')
To create the enterprise application, run the following command:
az ad sp create --id 00001111-aaaa-2222-bbbb-3333cccc4444To delete the enterprise application you created, run the command:
az ad sp delete --id bbbbbbbb-1111-2222-3333-cccccccccccc