Azure Active Directory application manifest

Apps that integrate with Azure AD must be registered with an Azure AD tenant. This app can be configured using the app manifest (under the Azure AD blade) in the Azure portal.

Manifest Reference

Key Value Type Example Value Description
appID Identifier string "" The unique identifier for the application that is assigned to an app by Azure AD.
appRoles Type of array [{
 "allowedMemberTypes": [
 "description":"Read-only access to device information",
 "displayName":"Read Only",
The collection of roles that an application may declare. These roles can be assigned to users, groups, or service principals.
availableToOtherTenants boolean true If this value is set to true, the application is available to other tenants. If set to false, the app is only available to the tenant it is registered in. For more information, see: How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern.
displayName string MyRegisteredApp The display name for the application.
errorURL string http://MyRegisteredAppError The URL for errors encountered in an application.
groupMembershipClaims string 1 A bitmask that configures the "groups" claim issued in a user or OAuth 2.0 access token that the application expects. The bitmask values are: 0: None, 1: Security groups and Azure AD roles, 2: Reserved, and 4: Reserved. Setting the bitmask to 7 will get all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of.
optionalClaims string null The optional claims returned in the token by the security token service for this specific app.
acceptMappedClaims boolean true If this value is set to true, it allows an application to use claims mapping without specifying a custom signing key.
homepage string http://MyRegistererdApp The URL to the application's home page.
identifierUris String array http://MyRegistererdApp User-defined URI(s) that uniquely identify a Web application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant.
keyCredentials Type of array [{
This property holds references to application-assigned credentials, string-based shared secrets and X.509 certificates. These credentials are used when requesting access tokens (when the app is acting as a client rather that as resource).
knownClientApplications Type of array [guid] The value is used for bundling consent if you have a solution that contains two parts, a client application and a custom web API application. If you enter the appID of the client application into this value, the user will only have to consent once to the client application. Azure AD will know that consenting to the client means implicitly consenting to the web API and will automatically provision service principals for both the client and web API at the same time. Both the client and the web API application must be registered in the same tenant.
logoutUrl string http://MyRegisteredAppLogout The URL to logout of the application.
oauth2AllowImplicitFlow boolean false Specifies whether this web application can request OAuth2.0 implicit flow tokens. The default is false. This flag is used for browser-based apps, like Javascript single page apps.
oauth2AllowUrlPathMatching boolean false Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow path matching of the redirect URI against the application's replyUrls. The default is false.
oauth2Permissions Type of array [{
"adminConsentDescription":"Allow the application to access resources on behalf of the signed-in user.",
"adminConsentDisplayName":"Access resource1",
"userConsentDescription":"Allow the application to access resource1 on your behalf.",
"userConsentDisplayName":"Access resources",
The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. These permission scopes may be granted to client applications during consent.
oauth2RequiredPostResponse boolean false Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests will be allowed.
objectId Identifier string "" The unique identifier for the application in the directory. This ID is not the identifier used to identify the app in any protocol transaction. It is user for the referencing the object in directory queries.
passwordCredentials Type of array [{
See the description for the keyCredentials property.
publicClient boolean false Specifies whether an application is a public client (such as an installed application running on a mobile device). Default is false.
supportsConvergence boolean false This property should not be edited. Accept the default value.
replyUrls String array http://localhost This multivalue property holds the list of registered redirect_uri values that Azure AD will accept as destinations when returning tokens.
requiredResourceAccess Type of array [{
Specifies resources that this application requires access to and the set of OAuth permission scopes and application roles that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience.
resourceAppId Identifier string "" The unique identifier for the resource that the application requires access to. This value should be equal to the appId declared on the target resource application.
resourceAccess Type of array See the example value for the requiredResourceAccess property. The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource (contains the ID and type values of the specified resources)
samlMetadataUrl string http://MyRegisteredAppSAMLMetadata The URL to the SAML metadata for the application.

Next steps

Use the following comments section to provide feedback that helps refine and shape our content.