Microsoft Active Directory

Microsoft Graph Applications and Service Principals API

Register and manage Microsoft Entra applications and their associated service principals programmatically. Configure app permissions, OAuth2 permission grants, app role assignments, certificates, federated identity credentials, and app consent policies.

GitHub OpenAPI

Documentation

📖
Documentation
https://learn.microsoft.com/en-us/graph/api/resources/applications-api-overview

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/openapi/active-directory-applications-openapi.yaml

Examples

📝
Example
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/examples/applications-application-example.json

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/json-schema/applications-application-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/json-schema/applications-service-principal-schema.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/json-structure/applications-application-structure.json

Other Resources

🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/capabilities/applications-app-role-assignments.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/capabilities/applications-applications.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/active-directory/refs/heads/main/capabilities/applications-service-principals.yaml

OpenAPI Specification

active-directory-applications-openapi.yaml Raw ↑ 
openapi: 3.0.3
info:
  title: Microsoft Graph Applications and Service Principals API
  description: >-
    Register and manage Microsoft Entra applications and their associated service principals
    via Microsoft Graph. Configure app permissions (API permissions), OAuth2 permission grants
    (delegated consent), app role assignments, certificates, keys, federated identity credentials,
    and app consent policies. Use this API for application lifecycle management and zero-trust
    app governance.
  version: v1.0
  contact:
    name: Microsoft Graph Support
    url: https://developer.microsoft.com/en-us/graph/support
  termsOfService: https://learn.microsoft.com/en-us/legal/microsoft-apis/terms-of-use
  license:
    name: Microsoft APIs Terms of Use
    url: https://learn.microsoft.com/en-us/legal/microsoft-apis/terms-of-use
servers:
  - url: https://graph.microsoft.com/v1.0
    description: Microsoft Graph v1.0
security:
  - oauth2:
      - Application.Read.All
      - Application.ReadWrite.All
paths:
  /applications:
    get:
      operationId: list-applications
      summary: Active Directory List Applications
      description: >-
        Retrieve the list of applications registered in the Microsoft Entra tenant.
        Returns application objects representing registered apps (not service principals).
        Supports OData query parameters for filtering and pagination.
      tags:
        - Applications
      parameters:
        - name: $filter
          in: query
          description: OData filter expression (e.g. displayName eq 'My App')
          schema:
            type: string
        - name: $select
          in: query
          schema:
            type: string
        - name: $top
          in: query
          schema:
            type: integer
        - name: $search
          in: query
          schema:
            type: string
      responses:
        '200':
          description: Collection of application registrations
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApplicationCollection'
              example:
                '@odata.context': https://graph.microsoft.com/v1.0/$metadata#applications
                value:
                  - id: aaa-bbb-ccc-ddd
                    appId: 00000003-0000-0000-c000-000000000000
                    displayName: My Enterprise App
                    signInAudience: AzureADMyOrg
        '401':
          $ref: '#/components/responses/Unauthorized'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 200
    post:
      operationId: create-application
      summary: Active Directory Create Application
      description: >-
        Register a new application in Microsoft Entra ID. The application object
        is the global registration; a service principal is automatically created in the
        home tenant (or must be created separately in other tenants).
      tags:
        - Applications
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ApplicationCreate'
            example:
              displayName: My New Application
              signInAudience: AzureADMyOrg
      responses:
        '201':
          description: Application registered successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Application'
        '400':
          $ref: '#/components/responses/BadRequest'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 201

  /applications/{applicationId}:
    get:
      operationId: get-application
      summary: Active Directory Get Application
      description: Retrieve the properties of an application registration by its object ID.
      tags:
        - Applications
      parameters:
        - name: applicationId
          in: path
          required: true
          description: Application object ID (not the appId/client ID)
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: Application object
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Application'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 200
    patch:
      operationId: update-application
      summary: Active Directory Update Application
      description: Update the properties of an application registration.
      tags:
        - Applications
      parameters:
        - name: applicationId
          in: path
          required: true
          schema:
            type: string
            format: uuid
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ApplicationUpdate'
      responses:
        '204':
          description: Application updated successfully
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 204
    delete:
      operationId: delete-application
      summary: Active Directory Delete Application
      description: >-
        Delete an application registration from Microsoft Entra ID. The deleted application
        is soft-deleted (moved to the recycle bin) and can be restored within 30 days.
      tags:
        - Applications
      parameters:
        - name: applicationId
          in: path
          required: true
          schema:
            type: string
            format: uuid
      responses:
        '204':
          description: Application deleted successfully
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 204

  /servicePrincipals:
    get:
      operationId: list-service-principals
      summary: Active Directory List Service Principals
      description: >-
        Retrieve the list of service principals in the Microsoft Entra tenant. Service
        principals represent the local instance of an application in the tenant.
      tags:
        - Service Principals
      parameters:
        - name: $filter
          in: query
          schema:
            type: string
        - name: $select
          in: query
          schema:
            type: string
        - name: $top
          in: query
          schema:
            type: integer
        - name: $search
          in: query
          schema:
            type: string
      responses:
        '200':
          description: Collection of service principals
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServicePrincipalCollection'
        '401':
          $ref: '#/components/responses/Unauthorized'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 200

  /servicePrincipals/{servicePrincipalId}:
    get:
      operationId: get-service-principal
      summary: Active Directory Get Service Principal
      description: Retrieve the properties of a service principal by its object ID.
      tags:
        - Service Principals
      parameters:
        - name: servicePrincipalId
          in: path
          required: true
          description: Service principal object ID
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: Service principal object
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServicePrincipal'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 200

  /servicePrincipals/{servicePrincipalId}/appRoleAssignments:
    get:
      operationId: list-service-principal-app-role-assignments
      summary: Active Directory List Service Principal App Role Assignments
      description: Get the app roles that have been assigned to this service principal.
      tags:
        - App Role Assignments
        - Service Principals
      parameters:
        - name: servicePrincipalId
          in: path
          required: true
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: Collection of app role assignments
          content:
            application/json:
              schema:
                type: object
                properties:
                  value:
                    type: array
                    items:
                      $ref: '#/components/schemas/AppRoleAssignment'
      x-microcks-operation:
        dispatcher: FALLBACK
        dispatcherRules: Response || 200

components:
  schemas:
    Application:
      type: object
      description: A Microsoft Entra application registration
      properties:
        id:
          type: string
          format: uuid
          description: Unique identifier for the application object (not the client ID)
        appId:
          type: string
          format: uuid
          description: The application (client) ID — used in OAuth2 flows
          example: 00000003-0000-0000-c000-000000000000
        displayName:
          type: string
          description: The display name for the application
          example: My Enterprise App
        description:
          type: string
          description: Free text description of the application
        signInAudience:
          type: string
          enum:
            - AzureADMyOrg
            - AzureADMultipleOrgs
            - AzureADandPersonalMicrosoftAccount
            - PersonalMicrosoftAccount
          description: Which Microsoft accounts are supported
          example: AzureADMyOrg
        identifierUris:
          type: array
          items:
            type: string
          description: URIs that identify the application within the tenant
        web:
          type: object
          description: Web platform configuration
          properties:
            redirectUris:
              type: array
              items:
                type: string
            implicitGrantSettings:
              type: object
              properties:
                enableAccessTokenIssuance:
                  type: boolean
                enableIdTokenIssuance:
                  type: boolean
            logoutUrl:
              type: string
        requiredResourceAccess:
          type: array
          items:
            type: object
            properties:
              resourceAppId:
                type: string
              resourceAccess:
                type: array
                items:
                  type: object
                  properties:
                    id:
                      type: string
                    type:
                      type: string
                      enum: [Role, Scope]
          description: API permissions required by the application
        keyCredentials:
          type: array
          items:
            type: object
            properties:
              keyId:
                type: string
              type:
                type: string
              usage:
                type: string
              displayName:
                type: string
              startDateTime:
                type: string
                format: date-time
              endDateTime:
                type: string
                format: date-time
          description: Certificate credentials (public key) for the application
        passwordCredentials:
          type: array
          items:
            type: object
            properties:
              keyId:
                type: string
              displayName:
                type: string
              startDateTime:
                type: string
                format: date-time
              endDateTime:
                type: string
                format: date-time
              hint:
                type: string
          description: Client secret credentials (metadata only — secret value returned only at creation)
        createdDateTime:
          type: string
          format: date-time
        deletedDateTime:
          type: string
          format: date-time
          nullable: true

    ApplicationCreate:
      type: object
      required:
        - displayName
      properties:
        displayName:
          type: string
        signInAudience:
          type: string
          default: AzureADMyOrg
        description:
          type: string
        web:
          type: object
          properties:
            redirectUris:
              type: array
              items:
                type: string

    ApplicationUpdate:
      type: object
      properties:
        displayName:
          type: string
        description:
          type: string
        signInAudience:
          type: string
        web:
          type: object
          properties:
            redirectUris:
              type: array
              items:
                type: string

    ApplicationCollection:
      type: object
      properties:
        '@odata.context':
          type: string
        '@odata.nextLink':
          type: string
        value:
          type: array
          items:
            $ref: '#/components/schemas/Application'

    ServicePrincipal:
      type: object
      description: A service principal — the local instance of an application in the tenant
      properties:
        id:
          type: string
          format: uuid
          description: Unique identifier for the service principal object
        appId:
          type: string
          format: uuid
          description: Application (client) ID of the associated application
        displayName:
          type: string
          description: Display name of the service principal
        servicePrincipalType:
          type: string
          enum: [Application, Legacy, ManagedIdentity, SocialIdp]
          description: Type of the service principal
        accountEnabled:
          type: boolean
          description: True if the service principal account is enabled
        appRoles:
          type: array
          items:
            type: object
            properties:
              id:
                type: string
              displayName:
                type: string
              description:
                type: string
              value:
                type: string
              allowedMemberTypes:
                type: array
                items:
                  type: string
        oauth2PermissionScopes:
          type: array
          items:
            type: object
            properties:
              id:
                type: string
              adminConsentDisplayName:
                type: string
              adminConsentDescription:
                type: string
              userConsentDisplayName:
                type: string
              value:
                type: string
              type:
                type: string
              isEnabled:
                type: boolean
        homepage:
          type: string
        loginUrl:
          type: string
        replyUrls:
          type: array
          items:
            type: string
        tags:
          type: array
          items:
            type: string
        createdDateTime:
          type: string
          format: date-time

    ServicePrincipalCollection:
      type: object
      properties:
        '@odata.context':
          type: string
        '@odata.nextLink':
          type: string
        value:
          type: array
          items:
            $ref: '#/components/schemas/ServicePrincipal'

    AppRoleAssignment:
      type: object
      description: An app role assignment granting a user, group, or SP access to an app role
      properties:
        id:
          type: string
        appRoleId:
          type: string
          format: uuid
          description: ID of the app role being assigned
        principalId:
          type: string
          format: uuid
          description: ID of the user, group, or service principal receiving the role
        principalDisplayName:
          type: string
        principalType:
          type: string
          enum: [User, Group, ServicePrincipal]
        resourceId:
          type: string
          format: uuid
          description: ID of the resource service principal (the API)
        resourceDisplayName:
          type: string
        createdDateTime:
          type: string
          format: date-time

    ErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
            message:
              type: string

  responses:
    BadRequest:
      description: Bad request
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: Authentication required
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Forbidden:
      description: Insufficient permissions
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: Resource not found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'

  securitySchemes:
    oauth2:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
          tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
          scopes:
            Application.Read.All: Read all applications
            Application.ReadWrite.All: Read and write all applications
            Directory.Read.All: Read directory data
        clientCredentials:
          tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
          scopes:
            Application.Read.All: Read all applications
            Application.ReadWrite.All: Read and write all applications