Page contents
Supported attributes
| Attribute | Description | Backed up | Restorable |
| addIns | Custom behaviours that a consuming service can use to call an app, e.g. File Handlers. | Yes | Yes |
| addIns>id | Unique identifier for the addIn object. | Yes | Yes |
| addIns>properties | Key-value pairs that define the parameters the consuming service can use or call. | Yes | Yes |
| addIns>properties>key | Contains the name of the field that a value is associated with. | Yes | Yes |
| addIns>properties>value | Contains the corresponding value for the specified key. | Yes | Yes |
| addIns>type | Unique name of the functionality exposed by the app. | Yes | Yes |
| api | Specifies settings for an application that implements a web API. | Yes | Yes |
| api>acceptMappedClaims | Yes | Yes | |
| api>knownClientApplications | Yes | Yes | |
| api>oauth2PermissionScopes | Yes | Yes | |
| api>oauth2PermissionScopes>adminConsentDescription | Yes | Yes | |
| api>oauth2PermissionScopes>adminConsentDisplayName | Yes | Yes | |
| api>oauth2PermissionScopes>id | Yes | No | |
| api>oauth2PermissionScopes>isEnabled | Yes | Yes | |
| api>oauth2PermissionScopes>type | Yes | Yes | |
| api>oauth2PermissionScopes>userConsentDescription | Yes | Yes | |
| api>oauth2PermissionScopes>userConsentDisplayName | Yes | Yes | |
| api>oauth2PermissionScopes>value | Yes | Yes | |
| api>oauth2PermissionScopes>value | Yes | Yes | |
| api>preAuthorizedApplications | Yes | Yes | |
| api>preAuthorizedApplications>appId | Yes | Yes | |
| api>preAuthorizedApplications>permissionIds | Yes | Yes | |
| api>requestedAccessTokenVersion | Yes | Yes | |
| appId | Unique identifier for the application. | Yes | No |
| applicationTemplateId | Unique identifier of the applicationTemplate. | Yes | No |
| appRoles | Roles defined for the application. | Yes | Yes |
| appRoles>allowedMemberType | Specifies whether this app role can be assigned to users and groups, to other applications, or both. | Yes | Yes |
| appRoles>description | Description of the app role. | Yes | Yes |
| appRoles>displayName | Display name for the permission that appears in the app role assignment and consent experiences. | Yes | Yes |
| appRoles>id | Unique role identifier inside the appRoles collection. | Yes | No |
| appRoles>isEnabled | Must be true when creating or updating an app role. | Yes | Yes |
| appRoles>origin | Specifies if the app role is defined on the application object or on the servicePrincipal entity. | Yes | No |
| appRoles>value | Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. | Yes | Yes |
| authenticationBehaviors | Breaking change behaviours related to token issuance that are configured for the application. | Yes | Yes |
| authenticationBehaviors>blockAzureADGraphAccess | If false, allows the app to have extended access to Azure AD Graph until June 30, 2025 when Azure AD Graph is fully retired. | Yes | Yes |
| authenticationBehaviors>removeUnverifiedEmailClaim | If true, removes the email claim from tokens sent to an application when the email address's domain can't be verified. | Yes | Yes |
| authenticationBehaviors>requireClientServicePrincipal | If true, requires multitenant applications to have a service principal in the resource tenant as part of authorisation checks before they're granted access tokens. | Yes | No |
| certification | Specifies the certification status of the application. | Yes | No |
| createdDateTime | Date and time the application was registered. | Yes | Yes |
| defaultRedirectUri | Default redirect URI. | Yes | Yes |
| deletedDateTime | Date and time the application was deleted. | No | No |
| description | Description of the application object for end users. | Yes | Yes |
| disabledByMicrosoftStatus | Specifies whether Microsoft has disabled the registered application. | Yes | No |
| displayName | Display name for the application. | Yes | Yes |
| groupMembershipClaims | Groups claim issued in a user or OAuth 2.0 access token that the application expects. | Yes | Yes |
| id | Unique identifier for the application object. | Yes | No |
| identifierUris | Value set when an application is used as a resource app. Also known as App ID URI. | Yes | Yes |
| info | Basic profile information of the application, e.g. terms of service, privacy statement. | Yes | No |
| info>logoUrl | CDN URL to the application's logo. | Yes | No |
| info>marketingUrl | Link to the application's marketing page. | Yes | Yes |
| info>privacyStatementUrl | Link to the application's privacy statement. | Yes | Yes |
| info>supportUrl | Link to the application's support page. | Yes | Yes |
| info>termsOfServiceUrl | Link to the application's terms of service statement. | Yes | Yes |
| isDeviceOnlyAuthSupported | Specifies whether this application supports device authentication without a user. | Yes | Yes |
| isFallbackPublicClient | Specifies the fallback application type as public client, such as an installed application running on a mobile device. | Yes | Yes |
| keyCredentials | Key credentials associated with the application. | Yes | No |
| logo | Main logo for the application. | No | No |
| nativeAuthenticationApisEnabled | Specifies whether native authentication APIs are enabled for the application. | Yes | Yes |
| notes | Notes relevant to the management of the application. | Yes | Yes |
| oauth2RequiredPostResponse | Specifies whether, as part of OAuth 2.0 token requests, Microsoft Entra ID allows POST requests, as opposed to GET requests. | Yes | Yes |
| onPremisesPublishing | Set of properties required for publishing your on-premises application for secure remote access. | No | No |
| optionalClaims | Specifies the claims that are sent to the application by the Microsoft security token service. | Yes | Yes |
| parentalControlSettings | Specifies parental control settings for an application. | Yes | Yes |
| passwordCredentials | Password credentials associated with the application. | Yes | No |
| passwordCredentials>customKeyIdentifier | Custom key identifier. Not to be used. | No | No |
| passwordCredentials>displayName | Friendly name for the password. | Yes | No |
| passwordCredentials>endDateTime | Date and time at which the password expires. | Yes | No |
| passwordCredentials>hint | Contains the first three characters of the password. | No | No |
| passwordCredentials>keyId | Unique identifier for the password. | Yes | No |
| passwordCredentials>secretText | Contains strong passwords generated by Entra ID. Cannot be retrieved. | No | No |
| passwordCredentials>startDateTime | Date and time at which the password becomes valid. | Yes | No |
| publicClient | Specifies settings for installed clients such as desktop or mobile devices. | Yes | Yes |
| publisherDomain | Verified publisher domain for the application. | Yes | No |
| requestSignatureVerification | Specifies whether this application requires Microsoft Entra ID to verify the signed authentication requests. | Yes | Yes |
| requiredResourceAccess | Specifies the resources the application needs to access and the required permissions and roles. | Yes | Yes |
| samlMetadataUrl | The URL where the service exposes SAML metadata for federation. | Yes | Yes |
| serviceManagementReference | References application or service contact information from a Service or Asset Management database. | Yes | Yes |
| servicePrincipalLockConfiguration | Specifies whether sensitive properties of a multitenant application should be locked for editing after the application is provisioned in a tenant. | Yes | Yes |
| signInAudience | Specifies the Microsoft accounts that are supported for the current application | Yes | Yes |
| spa | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorisation codes and access tokens. | Yes | Yes |
| tags | Custom strings that can be used to categorise and identify the application. | Yes | Yes |
| tokenEncryptionKeyId | Specifies the keyId of a public key from the keyCredentials collection. | Yes | No |
| uniqueName | Unique identifier that can be assigned to an application and used as an alternate key. | Yes | Yes |
| verifiedPublisher | Specifies the verified publisher of the application. | Yes | Yes |
| web | Specifies settings for a web application. | Yes | Yes |
| windows | Specifies settings for apps running Microsoft Windows and published in the Microsoft Store or Xbox games store. | Yes | Yes |
| windows>packageSid | Package security identifier that Microsoft has assigned the application. | Yes | No |
| windows>redirectUris | URLs where user tokens are sent for sign-in or the redirect URIs where OAuth 2.0 authorisation codes and access tokens are sent. | Yes | Yes |
Supported relationships
Owners
Federated identity credentials
Note:
- Due to API limitations, we do not back up or restore actual passwords, hints, certificates or credentials. After an app registration is restored, you will need to create the passwords, certificates and client secrets manually.
- Read about the limitations of Entra ID object recovery in Article 1554.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article