Manage Microsoft Entra applications and service principals by using Microsoft Graph
Microsoft Entra ID is an Identity and Access Management (IAM) system. A core part of its functionality is the Microsoft identity platform, which provides authentication and authorization services for registered applications. Microsoft Graph APIs allow you to register and manage your applications programmatically, enabling you to use Microsoft's IAM capabilities.
Applications and service principals
In Microsoft Entra, an application is defined by an application object and a service principal object. There's only one application object for your application across Microsoft Entra, but there can be multiple service principal objects for your application.
The application object is located in the tenant where the app was registered. A service principal is created in every tenant where the app is installed and used, including the tenant where the app is registered. For more information, see Application and service principal objects in Microsoft Entra ID.
In Microsoft Graph, an application is represented by the application resource type and a service principal is represented by the servicePrincipal resource type. The details of the two objects can be accessed on the Microsoft Entra admin center through the Identity > Applications > App registrations and Identity > Applications > Enterprise applications menus respectively.
API use cases for managing applications
The following API use cases are supported for managing applications through the application resource type in Microsoft Graph.
| Use cases | API operations |
|---|---|
| Register an application and configure its basic properties | Create application |
| Configure properties for registered application including: |
Update application |
| Delete an application | Delete application |
| Manage deleted applications | |
| Manage password credentials for an application | |
| Manage federated identity credentials for an application | Start managing federated identity credentials using Microsoft Graph |
| Manage certificate-based credentials for an application | |
| Manage directory extensions on applications | |
| Track changes to an application | ..?$filter=isof('microsoft.graph.application') |
| Manage owners | |
| Manage publisher verification |
API use cases for managing service principals
The following API use cases are supported for managing service principals through the servicePrincipal resource type in Microsoft Graph.
| Use cases | API operations |
|---|---|
| Register service principal | Create servicePrincipal |
| Configure properties for a service principal including: |
Update servicePrincipal |
| Delete a service principal | Delete servicePrincipal |
| Manage deleted service principals (view,restore, or permanently delete) | |
| Manage password credentials for a service principal | |
| Manage certificate-based credentials for a service principal | |
| Add a SAML token signing certificate | |
| Track changes to a service principal | ..?$filter=isof('microsoft.graph.servicePrincipal') |
| Manage owners |
Application templates
Application templates are apps that are available in the Microsoft Entra app gallery. Use the applicationTemplate resource type and its associated methods to:
- Identify apps from the application gallery
- Identify apps by the SSO mode they support
- Instantiate an app and service principal from an application gallery
Policies applicable to applications and service principals
| Policy description | API operations | Applies to |
|---|---|---|
| Manage Microsoft Entra ID Remote Desktop Services (RDS) authentication protocol | remoteDesktopSecurityConfiguration resource type and its associated methods | Service principals |
| Configure SAML tokens policy | tokenIssuancePolicy resource type and its associated methods | Applications Service principals |
| Configure policies for access, SAML, and ID tokens | Token lifetime policy - tokenLifetimePolicy resource type and its associated methods Token issuance policy - tokenIssuancePolicy resource type and its associated methods |
Applications Service principals |
| Manage idle session timeout for Microsoft 365 web apps, for all device types Note: To trigger the policy only for unmanaged devices, you also need to add a Conditional Access policy. |
activityBasedTimeoutPolicy resource type and its associated methods | Microsoft 365 web apps |
| Manage policies for how certificates and password secrets can be used in your organization. Create tenant-wide policies or app-specific policies such as blocking the use of or restricting the lifetime of password secrets or symmetric keys and enforcing trusted certificate authorities | Application authentication methods policies | Applications |
| Manage claims mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, and the applications the policies apply to | claimsMappingPolicy resource type and its associated methods | Service principals |
| Manage Home Realm Discovery (HRD) for the tenant and assignment of the policy to a service principal | homeRealmDiscoveryPolicy resource type and its associated methods | Service principals |
Identity synchronization (provisioning)
Provisioning APIs in Microsoft Graph allow you to automate and manage the provisioning and deprovisioning of identities in the following scenarios:
- From your on-premises Active Directory to Microsoft Entra ID
- From other cloud directories to Microsoft Entra ID
- From Microsoft Entra ID to cloud applications such as Dropbox, Salesforce, ServiceNow, and more
For more information, see Microsoft Entra synchronization API overview.