|
16 | 16 | * **disabledByMicrosoftStatus**: string: Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement) |
17 | 17 | * **displayName**: string (Required): The display name for the application |
18 | 18 | * **groupMembershipClaims**: string: Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following string values: None, SecurityGroup (for security groups and Microsoft Entra roles), All (this gets all security groups, distribution groups, and Microsoft Entra directory roles that the signed-in user is a member of). |
19 | | -* **id**: string (ReadOnly, DeployTimeConstant): The resource id |
| 19 | +* **id**: string (ReadOnly): The unique identifier for an entity. Read-only. |
20 | 20 | * **identifierUris**: string[]: Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api. For more information on valid identifierUris patterns and best practices, see Microsoft Entra application registration security best practices. Not nullable |
21 | 21 | * **info**: [MicrosoftGraphInformationalUrl](#microsoftgraphinformationalurl): Basic profile information of the application, such as it's marketing, support, terms of service, and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more information, see How to: Add Terms of service and privacy statement for registered Microsoft Entra apps |
22 | 22 | * **isDeviceOnlyAuthSupported**: bool: Specifies whether this application supports device authentication without a user. The default is false. |
|
50 | 50 | * **apiVersion**: 'beta' (ReadOnly, DeployTimeConstant): The resource api version |
51 | 51 | * **audiences**: string[] (Required): The audience that can appear in the external token. This field is mandatory and should be set to api://AzureADTokenExchange for Microsoft Entra ID. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Microsoft Entra ID in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required. |
52 | 52 | * **description**: string: The un-validated, user-provided description of the federated identity credential. It has a limit of 600 characters. Optional. |
53 | | -* **id**: string (ReadOnly, DeployTimeConstant): The resource id |
| 53 | +* **id**: string (ReadOnly): The unique identifier for an entity. Read-only. |
54 | 54 | * **issuer**: string (Required): The URL of the external identity provider and must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app. It has a limit of 600 characters. Required. |
55 | 55 | * **name**: string (Required): The unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created. Alternate key. Required. Not nullable |
56 | 56 | * **subject**: string (Required): Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Microsoft Entra ID. The combination of issuer and subject must be unique on the app. It has a limit of 600 characters |
|
62 | 62 | * **apiVersion**: 'beta' (ReadOnly, DeployTimeConstant): The resource api version |
63 | 63 | * **appRoleId**: string {minLength: 36, maxLength: 36, pattern: "^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$"} (Required): The identifier (id) for the app role which is assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application has not declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create. |
64 | 64 | * **creationTimestamp**: string (ReadOnly): The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
65 | | -* **id**: string (ReadOnly, DeployTimeConstant): The resource id |
| 65 | +* **id**: string (ReadOnly): The unique identifier for an entity. Read-only. |
66 | 66 | * **principalDisplayName**: string (ReadOnly): The display name of the user, group, or service principal that was granted the app role assignment. Read-only |
67 | 67 | * **principalId**: string {minLength: 36, maxLength: 36, pattern: "^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$"} (Required): The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create. |
68 | 68 | * **principalType**: string (ReadOnly): The type of the assigned principal. This can either be User, Group, or ServicePrincipal. Read-only. |
|
82 | 82 | * **displayName**: string (Required): The display name for the group. Required. Maximum length is 256 characters |
83 | 83 | * **expirationDateTime**: string (ReadOnly): Timestamp of when the group is set to expire. It is null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
84 | 84 | * **groupTypes**: string[]: Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static |
85 | | -* **id**: string (ReadOnly, DeployTimeConstant): The resource id |
| 85 | +* **id**: string (ReadOnly): The unique identifier for an entity. Read-only. |
86 | 86 | * **infoCatalogs**: string[]: Identifies the info segments assigned to the group |
87 | 87 | * **isAssignableToRole**: bool: Indicates whether this group can be assigned to a Microsoft Entra role. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group cannot be a dynamic group (that is, groupTypes can't contain DynamicMembership). Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Microsoft Entra role assignmentsUsing this feature requires a Microsoft Entra ID P1 license |
88 | 88 | * **isManagementRestricted**: bool (ReadOnly): Indicates whether the group is a member of a restricted management administrative unit, in which case it requires a role scoped to the restricted administrative unit to manage. The default value is false. Read-only. To manage a group member of a restricted administrative unit, the calling app must be assigned the Directory.Write.Restricted permission. For delegated scenarios, the administrators must also be explicitly assigned supported roles at the restricted administrative unit scope. |
|
122 | 122 | * **apiVersion**: 'beta' (ReadOnly, DeployTimeConstant): The resource api version |
123 | 123 | * **clientId**: string (Required): The object id (not appId) of the client service principal for the application that is authorized to act on behalf of a signed-in user when accessing an API. Required |
124 | 124 | * **consentType**: string (Required): Indicates whether authorization is granted for the client application to impersonate all users or only a specific user. AllPrincipals indicates authorization to impersonate all users. Principal indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Nonadmin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. Required |
125 | | -* **id**: string (ReadOnly, DeployTimeConstant): The resource id |
| 125 | +* **id**: string (ReadOnly): The unique identifier for an entity. Read-only. |
126 | 126 | * **principalId**: string: The id of the user on behalf of whom the client is authorized to access the resource, when consentType is Principal. If consentType is AllPrincipals this value is null. Required when consentType is Principal |
127 | 127 | * **resourceId**: string (Required): The id of the resource service principal to which access is authorized. This identifies the API that the client is authorized to attempt to call on behalf of a signed-in user |
128 | 128 | * **scope**: string: A space-separated list of the claim values for delegated permissions that should be included in access tokens for the resource application (the API). For example, openid User.Read GroupMember.Read.All. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the publishedPermissionScopes property of the resource service principal. Must not exceed 3850 characters in length. |
|
147 | 147 | * **disabledByMicrosoftStatus**: string: Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement) |
148 | 148 | * **displayName**: string: The display name for the service principal |
149 | 149 | * **homepage**: string: Home page or landing page of the application. |
150 | | -* **id**: string (ReadOnly, DeployTimeConstant): The resource id |
| 150 | +* **id**: string (ReadOnly): The unique identifier for an entity. Read-only. |
151 | 151 | * **info**: [MicrosoftGraphInformationalUrl](#microsoftgraphinformationalurl): Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Microsoft Entra apps |
152 | 152 | * **keyCredentials**: [MicrosoftGraphKeyCredential](#microsoftgraphkeycredential)[]: The collection of key credentials associated with the service principal. Not nullable |
153 | 153 | * **loginUrl**: string: Specifies the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. Microsoft Entra ID uses the URL to launch the application from Microsoft 365 or the Microsoft Entra My Apps. When blank, Microsoft Entra ID performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Microsoft Entra My Apps, or the Microsoft Entra SSO URL. |
|
0 commit comments