Muokkaa

Jaa


Create an enterprise application from a multitenant application in Microsoft Entra ID

In this article, you'll learn how to create an enterprise application in your tenant using the client ID for a multitenant application. An enterprise application refers to a service principal within a tenant. The service principal discussed in this article is the local representation, or application instance, of a global application object in a single tenant or directory.

Before you proceed to add the application using any of these options, check whether the enterprise application is already in your tenant by attempting to sign in to the application. If the sign-in is successful, the enterprise application already exists in your tenant.

If you have verified that the application isn't in your tenant, proceed with any of the following ways to add the enterprise application to your tenant.

Prerequisites

To add an enterprise application to your Microsoft Entra tenant, you need:

  • A Microsoft Entra user account. If you don't already have one, you can Create an account for free.
  • One of the following roles: Cloud Application Administrator, or Application Administrator.
  • The client ID (also called appId in Microsoft Graph) of the multitenant application.

Create an enterprise application

If you've been provided with the admin consent URL, navigate to the URL through a web browser to grant tenant-wide admin consent to the application. Granting tenant-wide admin consent to the application will add it to your tenant. The tenant-wide admin consent URL has the following format:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=248e869f-0e5c-484d-b5ea1fba9563df41&redirect_uri=https://www.your-app-url.com

Where:

  • {client-id} is the application's client ID (also known as appId).

Note

If you are attempting to use an enterprise application, and the service principal is not yet created in your tenant, Entra will respond with a (401) Unauthorized error stating: “The client application {appId} is missing service principal in the tenant {tenantId}." To resolve this, performing consent with the admin consent URL as mentioned above will instantiate the service principal in your tenant and resolve the issue.

  1. Run connect-MgGraph -Scopes "Application.ReadWrite.All" and sign in with at least a Cloud Application Administrator role.

  2. Run the following command to create the enterprise application:

    New-MgServicePrincipal -AppId 00001111-aaaa-2222-bbbb-3333cccc4444
    
  3. To delete the enterprise application you created, run the command:

    Remove-MgServicePrincipal
       -ServicePrincipalId bbbbbbbb-1111-2222-3333-cccccccccccc
    
    

You can use an API client such as Graph Explorer to work with Microsoft Graph.

  1. Grant the client app the Application.ReadWrite.All permission.

  2. To create the enterprise application, run the following query. The appId is the client ID of the application.

    POST https://graph.microsoft.com/v1.0/servicePrincipals
    Content-type: application/json
    
    {
      "appId": "00001111-aaaa-2222-bbbb-3333cccc4444"
    }
    
    
  3. To delete the enterprise application you created, run the query.

    DELETE https://graph.microsoft.com/v1.0/servicePrincipals(appId='00001111-aaaa-2222-bbbb-3333cccc4444')
    
  1. To create the enterprise application, run the following command:

    az ad sp create --id 00001111-aaaa-2222-bbbb-3333cccc4444
    
  2. To delete the enterprise application you created, run the command:

    az ad sp delete --id bbbbbbbb-1111-2222-3333-cccccccccccc
    
    

Next steps