Azure Active Directory app manifest

The application manifest contains a definition of all the attributes of an application object in the Microsoft identity platform. It also serves as a mechanism for updating the application object. For more info on the Application entity and its schema, see the Graph API Application entity documentation.

You can configure an app's attributes through the Azure portal or programmatically using REST API or PowerShell. However, there are some scenarios where you'll need to edit the app manifest to configure an app's attribute. These scenarios include:

  • If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you can't change the supported Microsoft accounts in the UI. Instead, you must use the application manifest editor to change the supported account type.
  • If you need to define permissions and roles that your app supports, you must modify the application manifest.

Configure the app manifest

To configure the application manifest:

  1. Sign in the Azure portal.
  2. Select the Azure Active Directory service, and then select App registrations or App registrations (Preview).
  3. Select the app you want to configure.
  4. From the app's Overview page, select the Manifest section. A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.

Manifest reference

Note

If you can't see the Example value column after the Description, maximize your browser window and scroll/swipe until you see the Example value column.

Key Value type Description Example value
accessTokenAcceptedVersion Nullable Int32 Specifies the access token version expected by the resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.

The endpoint used, v1.0 or v2.0, is chosen by the client and only impacts the version of id_tokens. Resources need to explicitly configure accesstokenAcceptedVersion to indicate the supported access token format.

Possible values for accesstokenAcceptedVersion are 1, 2, or null. If the value is null, this defaults to 1, which corresponds to the v1.0 endpoint.
2
addIns Collection Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. {
   "id":"968A844F-7A47-430C-9163-07AE7C31D407"
   "type": "FileHandler",
   "properties": [
      {"key": "version", "value": "2" }
   ]
}
allowPublicClient Boolean Specifies the fallback application type. Azure AD infers the application type from the replyUrlsWithType by default. There are certain scenarios where Azure AD cannot determine the client app type (e.g. ROPC flow where HTTP request happens without a URL redirection). In those cases Azure AD will interpret the application type based on the value of this property. If this value is set to true the fallback application type is set as public client, such as an installed app running on a mobile device. The default value is false which means the fallback application type is confidential client such as web app. false
availableToOtherTenants Boolean true if the application is shared with other tenants; otherwise, false.

Note: This is replaced by signInAudience in the App Registrations (Preview) experience.
appId String Specifies the unique identifier for the app that is assigned to an app by Azure AD. "601790de-b632-4f57-9523-ee7cb6ceba95"
appRoles Collection Specifies the collection of roles that an app may declare. These roles can be assigned to users, groups, or service principals. For more examples and info, see Add app roles in your application and receive them in the token [
  {
   "allowedMemberTypes": [
    "User"
   ],
   "description":"Read-only access to device information",
   "displayName":"Read Only",
   "id":guid,
   "isEnabled":true,
   "value":"ReadOnly"
  }
]
displayName String The display name for the app.

Note: This is replaced by name in the App Registrations (Preview) experience.
"MyRegisteredApp"
errorUrl String Unsupported.
groupMembershipClaims String Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. To set this attribute, use one of the following valid string values:

- "None"
- "SecurityGroup" (for security groups and Azure AD roles)
- "All" (this will get all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of.
"SecurityGroup"
homepage String The URL to the application's homepage.

Note: This is replaced by signInUrl in the App Registrations (Preview) experience.
"https://MyRegisteredApp"
objectId String The unique identifier for the app in the directory.

Note: This is replaced by id in the App Registrations (Preview) experience.
"f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd"
optionalClaims String The optional claims returned in the token by the security token service for this specific app.
At this time, apps that support both personal accounts and Azure AD (registered through the app registration portal) cannot use optional claims. However, apps registered for just Azure AD using the v2.0 endpoint can get the optional claims they requested in the manifest. For more info, see optional claims.
null
id String The unique identifier for the app in the directory. This ID is not the identifier used to identify the app in any protocol transaction. It's used for the referencing the object in directory queries. "f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd"
identifierUris String Array User-defined URI(s) that uniquely identify a Web app within its Azure AD tenant, or within a verified custom domain if the app is multi-tenant. [
  "https://MyRegisteredApp"
]
informationalUrls String Specifies the links to the app's terms of service and privacy statement. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Azure AD apps. {
   "marketing":"https://MyRegisteredApp/marketing",
   "privacy":"https://MyRegisteredApp/privacystatement",
   "support":"https://MyRegisteredApp/support",
   "termsOfService":"https://MyRegisteredApp/termsofservice"
}
keyCredentials Collection Holds references to app-assigned credentials, string-based shared secrets and X.509 certificates. These credentials are used when requesting access tokens (when the app is acting as a client rather that as resource). [
 {
   "customKeyIdentifier":null,
   "endDate":"2018-09-13T00:00:00Z",
   "keyId":"<guid>",
   "startDate":"2017-09-12T00:00:00Z",
   "type":"AsymmetricX509Cert",
   "usage":"Verify",
   "value":null
  }
]
knownClientApplications String Array Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. If you enter the appID of the client app into this value, the user will only have to consent once to the client app. Azure AD will know that consenting to the client means implicitly consenting to the web API and will automatically provision service principals for both the client and web API at the same time. Both the client and the web API app must be registered in the same tenant. ["f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd"]
logoUrl String Read only value that points to the CDN URL to logo that was uploaded in the portal. "https://MyRegisteredAppLogo"
logoutUrl String The URL to log out of the app. "https://MyRegisteredAppLogout"
name String The display name for the app. "MyRegisteredApp"
oauth2AllowImplicitFlow Boolean Specifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is false. This flag is used for browser-based apps, like Javascript single-page apps. To learn more, enter OAuth 2.0 implicit grant flow in the table of contents and see the topics about implicit flow. false
oauth2AllowIdTokenImplicitFlow Boolean Specifies whether this web app can request OAuth2.0 implicit flow ID tokens. The default is false. This flag is used for browser-based apps, like Javascript single-page apps. false
oauth2Permissions Collection Specifies the collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. These permission scopes may be granted to client apps during consent. [
  {
   "adminConsentDescription":"Allow the app to access resources on behalf of the signed-in user.",
   "adminConsentDisplayName":"Access resource1",
   "id":"<guid>",
   "isEnabled":true,
   "type":"User",
   "userConsentDescription":"Allow the app to access resource1 on your behalf.",
   "userConsentDisplayName":"Access resources",
   "value":"user_impersonation"
  }
]
oauth2RequiredPostResponse Boolean Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests will be allowed. false
parentalControlSettings String countriesBlockedForMinors specifies the countries in which the app is blocked for minors.
legalAgeGroupRule specifies the legal age group rule that applies to users of the app. Can be set to Allow, RequireConsentForPrivacyServices, RequireConsentForMinors, RequireConsentForKids, or BlockMinors.
{
   "countriesBlockedForMinors":[],
   "legalAgeGroupRule":"Allow"
}
passwordCredentials Collection See the description for the keyCredentials property. [
  {
   "customKeyIdentifier":null,
   "endDate":"2018-10-19T17:59:59.6521653Z",
   "keyId":"<guid>",
   "startDate":"2016-10-19T17:59:59.6521653Z",
   "value":null
   }
]
preAuthorizedApplications Collection Lists applications and requested permissions for implicit consent. Requires an admin to have provided consent to the application. preAuthorizedApplications do not require the user to consent to the requested permissions. Permissions listed in preAuthorizedApplications do not require user consent. However, any additional requested permissions not listed in preAuthorizedApplications require user consent. [
  {
    "appId": "abcdefg2-000a-1111-a0e5-812ed8dd72e8",
    "permissionIds": [
      "8748f7db-21fe-4c83-8ab5-53033933c8f1"
    ]
  }
]
publicClient Boolean Specifies whether this application is a public client (such as an installed application running on a mobile device).

Note: This is replaced by allowPublicClient in the App Registrations (Preview) experience.
publisherDomain String The verified publisher domain for the application. Read-only. https://www.contoso.com
replyUrls String array This multi-value property holds the list of registered redirect_uri values that Azure AD will accept as destinations when returning tokens.

Note: This is replaced by replyUrlsWithType in the App Registrations (Preview) experience.
replyUrlsWithType Collection This multi-value property holds the list of registered redirect_uri values that Azure AD will accept as destinations when returning tokens. Each uri value should contain an associated app type value. Supported type values are: Web, InstalledClient. "replyUrlsWithType": [
  {
     "url": "https://localhost:4400/services/office365/redirectTarget.html",
     "type": "InstalledClient"   
  }
]
requiredResourceAccess Collection With dynamic consent, requiredResourceAccess drives the admin consent experience and the user consent experience for users who are using static consent. However, this does not drive the user consent experience for the general case.
resourceAppId is the unique identifier for the resource that the app requires access to. This value should be equal to the appId declared on the target resource app.
resourceAccess is an array that lists the OAuth2.0 permission scopes and app roles that the app requires from the specified resource. Contains the id and type values of the specified resources.
[
  {
    "resourceAppId":"00000002-0000-0000-c000-000000000000",
    "resourceAccess":[
      {
        "id":"311a71cc-e848-46a1-bdf8-97ff7156d8e6",
        "type":"Scope"
      }
    ]
  }
]
samlMetadataUrl String The URL to the SAML metadata for the app. https://MyRegisteredAppSAMLMetadata
signInUrl String Specifies the URL to the app's home page. https://MyRegisteredApp
signInAudience String Specifies what Microsoft accounts are supported for the current application. Supported values are:
  • AzureADMyOrg - Users with a Microsoft work or school account in my organization’s Azure AD tenant (i.e. single tenant)
  • AzureADMultipleOrgs - Users with a Microsoft work or school account in any organization’s Azure AD tenant (i.e. multi-tenant)
  • AzureADandPersonalMicrosoftAccount - Users with a personal Microsoft account, or a work or school account in any organization’s Azure AD tenant
AzureADandPersonalMicrosoftAccount
tags String Array Custom strings that can be used to categorize and identify the application. [
  "ProductionApp"
]

Common issues

Manifest limits

An application manifest has multiple attributes that are referred to as collections; for example, approles, keycredentials, knownClientApplications, identifierUris, rediretUris, requiredResourceAccess, and oauth2Permissions. Within the complete application manifest for any application, the total number of entries in all the collections combined has been capped at 1200. If you already have 100 redirect URIs specified in the application manifest, then you're only left with 1100 remaining entries to use across all other collections combined that make up the manifest.

Note

In case you try to add more than 1200 entries in the application manifest, you may see an error "Failed to update application xxxxxx. Error details: The size of the manifest has exceeded its limit. Please reduce the number of values and retry your request."

Unsupported attributes

The application manifest represents the schema of the underlying application model in Azure AD. As the underlying schema evolves, the manifest editor will be updated to reflect the new schema from time to time. As a result, you may notice new attributes showing up in the application manifest. In rare occasions, you may notice a syntactic or semantic change in the existing attributes or you may find an attribute that existed previously are not supported anymore. For example, you will see new attributes in the App registrations (Preview) which are known with a different name in the App registrations (GA) experience.

App Registrations (GA) App Registrations (Preview)
availableToOtherTenants signInAudience
displayName name
errorUrl -
homepage signInUrl
objectId Id
publicClient allowPublicClient
replyUrls replyUrlsWithType

For descriptions for these attributes, see the manifest reference section.

When you try to upload a previously downloaded manifest, you may see one of the following errors. This is likely because the manifest editor now supports a newer version of the schema, which doesn't match with the one you're trying to upload.

  • "Failed to update xxxxxx application. Error detail: Invalid object identifier 'undefined'. []."
  • "Failed to update xxxxxx application. Error detail: One or more property values specified are invalid. []."
  • "Failed to update xxxxxx application. Error detail: Not allowed to set availableToOtherTenants in this api version for update. []."
  • "Failed to update xxxxxx application. Error detail: Updates to 'replyUrls' property is not allowed for this application. Use 'replyUrlsWithType' property instead. []."
  • "Failed to update xxxxxx application. Error detail: A value without a type name was found and no expected type is available. When the model is specified, each value in the payload must have a type which can be either specified in the payload, explicitly by the caller or implicitly inferred from the parent value. []"

When you see one of these errors, we recommend the following:

  1. Edit the attributes individually in the manifest editor instead of uploading a previously downloaded manifest. Use the manifest reference table to understand the syntax and semantics of old and new attributes so that you can successfully edit the attributes you're interested in.
  2. If your workflow requires you to save the manifests in your source repository for use later, we suggest rebasing the saved manifests in your repository with the one you see in the App registrations (Preview) experience.

Next steps

Use the following comments section to provide feedback that helps refine and shape our content.