Share via

ACS Management Service API Reference

An entity data model organizes the Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) configuration data into records of entity types (or entities) and the associations between them. The data model is described in the OData Service Metadata Document for each namespace is at: https://<namespace>$metadata, where <namespace> is the name of the Access Control namespace.

This XML-based OData document uses a conceptual schema definition language (CDSL) to describe the available data. You can download this document and use it to generate typed classes in your code. The following table describes the ACS entity types.


The following applies to ID properties of all of the entities in the table: ACS IDs are not permanent; they can change as a result of upgrades to the ACS service. Your applications should not cache or rely on the value of ACS IDs.

Entity Description


Represents claim types imported from the WS-Federation metadata of WS-Federation identity providers. This is used primarily to populate the list of supported claim types for each identity provider in the ACS Management Portal.

Conditional Rule

Represents a rule with two input claims. For more information, see Rule Groups and Rules.


Represents a list of clients that have been granted delegated access in OAuth 2.0 delegation scenarios.


Represents an identity provider. For more information about identity providers, see Identity Providers.


Represents a URI that is associated with an identity provider. Supported URI types include SignIn, SignOut, EmailDomain, ImageURL, and FedMetadataURL.


Represents the list of ClaimType entities that are supported by the identity provider.


Represents certificates and keys associated with the identity provider. This typically includes token validation certificates imported from the identity provider’s WS-Federation metadata or keys input directly into the ACS configuration (such as Facebook application keys).


Represents a claims issuer that is another representation of an identity provider that is used specifically by the ACS rules engine. ACS also has its own built-in issuer, named LOCAL_AUTHORITY, which is the issuer for claims output by ACS. Every identity provider has an associated issuer and every issuer that’s not LOCAL_AUTHORITY has an associated identity provider.


If you delete the issuer, it automatically deletes the associated identity provider.


Represents a relying party application. For more information about relying party applications, see Relying Party Applications.


Represents a URI that is associated with a relying party application. Supported URI types include Realm, Reply (Return URL), and Error (Error URL).


Represents which identity providers are associated with which relying party applications in a given Access Control namespace.


Represents certificates and keys associated with a relying party application. This includes token signing certificates and symmetric keys associated directly with the application, in addition to encryption certificates.


Represents the list of RuleGroup entities that are associated with the relying party application.


Represents a rule. For more information about rules, see Rule Groups and Rules.


Represents a rule group. For more information about rule groups, see Rule Groups and Rules.


Represents a service identity. For more information about service identities, see Service Identities.


Represents credentials associated with service identities. This includes X.509 certificates, symmetric keys, and passwords.


Represents certificates and keys assigned to the Access Control namespace. This includes token signing certificates and symmetric keys, token decryption certificates, and Management Service credentials for the default ManagementClient account. This does not include certificates and keys explicitly assigned to a relying party application, identity provider, or service identity.