Page contents
Supported attributes
| Attribute | Description | Backed up | Restorable |
| accountEnabled | true if the service principal account is enabled; otherwise, false. | Yes | Yes |
| addIns | Custom behaviours that a consuming service can use to call an app, e.g. File Handlers. | Yes | Yes |
| addIns>id | Unique identifier for the addIn object. | Yes | Yes |
| addIns>properties | Key-value pairs that define the parameters the consuming service can use or call. | Yes | Yes |
| addIns>type | Unique name of the functionality exposed by the app. | Yes | Yes |
| alternativeNames | Used to retrieve service principals by subscription. | Yes | Yes |
| appDescription | Description exposed by the associated application. | Yes | Yes |
| appDisplayName | Display name exposed by the associated application. | Yes | No |
| appId | Unique identifier for the associated application. | Yes | Yes |
| applicationTemplateId | Unique identifier of the applicationTemplate. | Yes | No |
| appOwnerOrganizationId | Contains the tenant ID where the application is registered. Applicable only to service principals backed by applications. | Yes | No |
| appRoleAssignmentRequired | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. | Yes | Yes |
| appRoles | The roles exposed by the application which this service principal represents. | Yes | Yes |
| appRoles>allowedMemberType | Specifies whether this app role can be assigned to users and groups, to other applications, or both. | Yes | Yes |
| appRoles>description | Description of the app role. | Yes | Yes |
| appRoles>displayName | Display name for the permission that appears in the app role assignment and consent experiences. | Yes | Yes |
| appRoles>id | Unique role identifier inside the appRoles collection. | Yes | No |
| appRoles>isEnabled | Must be true when creating or updating an app role. | Yes | Yes |
| appRoles>origin | Specifies if the app role is defined on the application object or on the servicePrincipal entity. | Yes | No |
| appRoles>value | Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. | Yes | Yes |
| customSecurityAttributes | An open complex type that holds the value of a custom security attribute that is assigned to a directory object. | Yes | Yes |
| deletedDateTime | The date and time the service principal was deleted. | Yes | Yes |
| description | Description of the service principal for end users. | Yes | Yes |
| disabledByMicrosoftStatus | Specifies whether Microsoft has disabled the registered application. | Yes | No |
| displayName | Display name for the service principal. | Yes | No |
| errorUrl | Deprecated. Not to be used. | No | No |
| homepage | Home page or landing page of the application. | Yes | Yes |
| id | Unique identifier for the service principal. | Yes | No |
| info | Basic profile information of the application, e.g. terms of service, privacy statement. | Yes | No |
| keyCredentials | Key credentials associated with the service principal. | Yes | No |
| loginUrl | Specifies the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. | Yes | Yes |
| logoutUrl | Specifies the URL that the Microsoft's authorisation service uses to sign out a user using OpenID Connect front-channel, back-channel, or SAML sign-out protocols. | Yes | Yes |
| notes | Information about the service principal, typically used for operational purposes. | Yes | Yes |
| notificationEmailAddresses | List of email addresses where Entra ID sends a notification when the active certificate is near expiry. Only for certificates used to sign the SAML token issued for Entra Gallery applications. | Yes | Yes |
| passwordCredentials | Password credentials associated with the application. | Yes | No |
| passwordCredentials>customKeyIdentifier | Custom key identifier. Not to be used. | No | No |
| passwordCredentials>displayName | Friendly name for the password. | Yes | Yes |
| passwordCredentials>endDateTime | Date and time at which the password expires. | Yes | Yes |
| passwordCredentials>hint | Contains the first three characters of the password. | No | No |
| passwordCredentials>keyId | Unique identifier for the password. | Yes | Yes |
| passwordCredentials>secretText | Contains strong passwords generated by Entra ID. Cannot be retrieved. | No | No |
| passwordCredentials>startDateTime | Date and time at which the password becomes valid. | Yes | Yes |
| passwordSingleSignOnSettings | Settings related to password single sign-on. | Yes | No |
| passwordSingleSignOnMode | The single sign-on mode configured for this application. | Yes | Yes |
| permissionGrantPreApprovalPolicies | List of pre-approval policies assigned to the service principal. | Yes | No |
| preferredTokenSigningKeyEndDateTime | Expiration date of the keyCredential used for token signing. | Yes | Yes |
| preferredTokenSigningKeyThumbprint | Used by apps that have preferredSingleSignOnMode set to SAML to control which certificate is used to sign the SAML responses. | Yes | Yes |
| publishedPermissionScopes or oauth2PermissionScopes | The delegated permissions exposed by the application. | Yes | Yes |
| publishedPermissionScopes>adminConsentDescription | A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. | Yes | Yes |
| publishedPermissionScopes>adminConsentDisplayName | The permission's title, intended to be read by an administrator granting the permission on behalf of all users. | Yes | Yes |
| publishedPermissionScopes>id | Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application. | Yes | Yes |
| publishedPermissionScopes>isEnabled | Must be true (default) when creating or updating a permission. | Yes | Yes |
| publishedPermissionScopes>type | Specifies whether administrator consent should always be required for a delegated permission. | Yes | Yes |
| publishedPermissionScopes>userConsentDescription | A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. | Yes | Yes |
| publishedPermissionScopes>userConsentDisplayName | The permission's title, intended to be read by a user granting the permission on their own behalf. | Yes | Yes |
| publishedPermissionScopes>value | Specifies the value to include in the scp (scope) claim in access tokens. | Yes | Yes |
| publisherName | Name of the Entra tenant that published the application. | Yes | Yes |
| replyUrls | The URLs that user tokens are sent to for sign-in with the associated application, or the redirect URIs that OAuth 2.0 authorisation codes and access tokens are sent to for the associated application. | Yes | Yes |
| samlMetadataUrl | The URL where the service exposes SAML metadata for federation. | Yes | Yes |
| samlSingleSignOnSettings | Settings related to SAML single sign-on. | Yes | Yes |
| servicePrincipalNames | List of identifiersUris copied over from the associated application. | Yes | Yes |
| servicePrincipalType | Specifies whether the service principal represents an application or a managed identity. | Yes | Yes |
| signInAudience | Specifies the Microsoft accounts that are supported for the current application. | Yes | No |
| spa | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorisation codes and access tokens. | Yes | Yes |
| tags | Custom strings that can be used to categorise and identify the application. | Yes | Yes |
| tokenEncryptionKeyId | Specifies the keyId of a public key from the keyCredentials collection. | Yes | Yes |
| verifiedPublisher | Specifies the verified publisher of the application. | Yes | Yes |
Supported relationships
owner
appRoleAssignedTo
appRoleAssignments
memberOf
Note:
- Only the application-type service principal is supported (not legacy or managed identity).
- An Enterprise App can only be restored if the corresponding app registration is present and has not been deleted. If the app registration is on the local tenant, restore that first.
- The appDisplayName and displayName can only be restored by restoring the corresponding app registration.
- Read about the limitations of Entra ID object recovery in Article 1554.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article