|
| 1 | +--- |
| 2 | +title: "How to configure app instance property lock in your applications" |
| 3 | +description: How to increase app security by configuring property modification locks for sensitive properties of the application. |
| 4 | +services: active-directory |
| 5 | +manager: saumadan |
| 6 | +ms.service: active-directory |
| 7 | +ms.subservice: develop |
| 8 | +ms.topic: conceptual |
| 9 | +ms.workload: identity |
| 10 | +ms.date: 11/03/2022 |
| 11 | +author: madansr7 |
| 12 | +ms.author: saumadan |
| 13 | +ms.reviewer: |
| 14 | +# Customer intent: As an application developer, I want to learn how to protect properties of my application instance of being modified. |
| 15 | +--- |
| 16 | +# How to configure app instance property lock for your applications (Preview) |
| 17 | + |
| 18 | +Application instance lock is a feature in Azure Active Directory (Azure AD) that allows sensitive properties of a multi-tenant application object to be locked for modification after the application is provisioned in another tenant. |
| 19 | +This feature provides application developers with the ability to lock certain properties if the application doesn't support scenarios that require configuring those properties. |
| 20 | + |
| 21 | + |
| 22 | +## What are sensitive properties? |
| 23 | + |
| 24 | +The following property usage scenarios are considered as sensitive: |
| 25 | + |
| 26 | +- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Sign`. This is a scenario where your application supports a SAML flow. |
| 27 | +- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Verify`. In this scenario, your application supports an OIDC client credentials flow. |
| 28 | +- `TokenEncryptionKeyId` which specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key to which this property points. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. |
| 29 | + |
| 30 | +## Configure an app instance lock |
| 31 | + |
| 32 | +To configure an app instance lock using the Azure portal: |
| 33 | + |
| 34 | +1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. |
| 35 | +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration you want to configure. |
| 36 | +1. Search for and select **Azure Active Directory**. |
| 37 | +1. Under **Manage**, select **App registrations**, and then select the application you want to configure. |
| 38 | +1. Select **Authentication**, and then select **Configure** under the *App instance property lock* section. |
| 39 | + |
| 40 | + :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock in the Azure portal."::: |
| 41 | + |
| 42 | +2. In the **App instance property lock** pane, enter the settings for the lock. The table following the image describes each setting and their parameters. |
| 43 | + |
| 44 | + :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane in the Azure portal."::: |
| 45 | + |
| 46 | + | Field | Description | |
| 47 | + | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 48 | + | **Enable property lock** | Specifies if the property locks are enabled. | |
| 49 | + | **All properties** | Locks all sensitive properties without needing to select each property scenario. | |
| 50 | + | **Credentials used for verification** | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `verify`. | |
| 51 | + | **Credentials used for signing tokens** | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `sign`. | |
| 52 | + | **Token Encryption KeyId** | Locks the ability to change the `tokenEncryptionKeyId` property. | |
| 53 | + |
| 54 | +3. Select **Save** to save your changes. |
0 commit comments