Azure Active Directory app manifest

• Article
• 12 minutes to read

The application manifest contains a definition of all the attributes of an application object in the
Microsoft identity platform. It also serves as a mechanism for updating the application object. For
more info on the Application entity and its schema, see the Graph API Application entity
documentation.
You can configure an app's attributes through the Azure portal or programmatically using Microsoft
Graph API or Microsoft Graph PowerShell SDK. However, there are some scenarios where you'll
need to edit the app manifest to configure an app's attribute. These scenarios include:
• If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you
can't change the supported Microsoft accounts in the UI. Instead, you must use the
application manifest editor to change the supported account type.
• To define permissions and roles that your app supports, you must modify the application
manifest.

Configure the app manifest

To configure the application manifest:
1. Go to the Azure portal. Search for and select the Azure Active Directory service.
2. Select App registrations.
3. Select the app you want to configure.
4. From the app's Overview page, select the Manifest section. A web-based manifest editor
opens, allowing you to edit the manifest within the portal. Optionally, you can select
Download to edit the manifest locally, and then use Upload to reapply it to your application.

Manifest reference
This section describes the attributes found in the application manifest.

id attribute
id attribute
Key Value type
id String
The unique identifier for the app in the directory. This ID is not the identifier used to identify the
app in any protocol transaction. It's used for the referencing the object in directory queries.
Example:
JSON
"id": "f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd",
accessTokenAcceptedVersion attribute
accessTokenAcceptedVersion attribute
Key Value type
accessTokenAcceptedVersion Nullable Int32
Specifies the access token version expected by the resource. This parameter changes the version and
format of the JWT produced independent of the endpoint or client used to request the access token.
The endpoint used, v1.0 or v2.0, is chosen by the client and only impacts the version of id_tokens.
Resources need to explicitly configure accesstokenAcceptedVersion to indicate the
supported access token format.
Possible values for accesstokenAcceptedVersion are 1, 2, or null. If the value is null, this
parameter defaults to 1, which corresponds to the v1.0 endpoint.
If signInAudience is AzureADandPersonalMicrosoftAccount, the value must be 2.

Example:
JSON
"accessTokenAcceptedVersion": 2,

addIns attribute
addIns attribute
Key Value type
addIns Collection
Defines custom behavior that a consuming service can use to call an app in specific contexts. For
example, applications that can render file streams may set the addIns property for its
"FileHandler" functionality. This parameter will let services like Microsoft 365 call the application
in the context of a document the user is working on.
Example:
JSON
"addIns": [
{
"id": "968A844F-7A47-430C-9163-07AE7C31D407",
"type":" FileHandler",
"properties": [
{
"key": "version",
"value": "2"
}
]
}
],

allowPublicClient attribute
allowPublicClient attribute
Key Value type
allowPublicClient Boolean
Specifies the fallback application type. Azure AD infers the application type from the
replyUrlsWithType by default. There are certain scenarios where Azure AD can't determine the
client app type. For example, one such scenario is the ROPC flow where HTTP request happens
without a URL redirection). In those cases, Azure AD will interpret the application type based on
the value of this property. If this value is set to true the fallback application type is set as public
client, such as an installed app running on a mobile device. The default value is false which means
the fallback application type is confidential client such as web app.
Example:
JSON
"allowPublicClient": false,

appId attribute
appId attribute
Key Value type
appId String
Specifies the unique identifier for the app that is assigned to an app by Azure AD.
Example:
JSON
"appId": "601790de-b632-4f57-9523-ee7cb6ceba95",

appRoles attribute
appRoles attribute
Key Value type
appRoles Collection
Specifies the collection of roles that an app may declare. These roles can be assigned to users,
groups, or service principals. For more examples and info, see Add app roles in your application
and receive them in the token.
Example:
JSON
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Read-only access to device information",
"displayName": "Read Only",
"id": "601790de-b632-4f57-9523-ee7cb6ceba95",
"isEnabled": true,
"value": "ReadOnly"
}
],
errorUrl attribute
errorUrl attribute
Key Value type
errorUrl String
Unsupported.

groupMembershipClaims attribute
groupMembershipClaims attribute
Key Value type
groupMembershipClaims String
Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. To
set this attribute, use one of the following valid string values:
• "None"
• "SecurityGroup" (for security groups and Azure AD roles)
• "ApplicationGroup" (this option includes only groups that are assigned to the
application)
• "DirectoryRole" (gets the Azure AD directory roles the user is a member of)
• "All" (this will get all of the security groups, distribution groups, and Azure AD directory
roles that the signed-in user is a member of).
Example:
JSON
"groupMembershipClaims": "SecurityGroup",

optionalClaims attribute
optionalClaims attribute
Key Value type
optionalClaims String
The optional claims returned in the token by the security token service for this specific app.
At this time, apps that support both personal accounts and Azure AD (registered through the app
registration portal) cannot use optional claims. However, apps registered for just Azure AD using
the v2.0 endpoint can get the optional claims they requested in the manifest. For more info, see
Optional claims.
Example:
JSON
"optionalClaims": null,

identifierUris attribute
identifierUris attribute
Key Value type
identifierUris String Array
User-defined URI(s) that uniquely identify a web app within its Azure AD tenant or verified
customer owned domain. When an application is used as a resource app, the identifierUri value is
used to uniquely identify and access the resource.
The following API and HTTP scheme-based application ID URI formats are supported. Replace the
placeholder values as described in the list following the table.
identifierUris attribute
Supported application ID
Example app ID URIs
URI formats
api://<appId> api://fc4d2d73-d05a-4a9b-85a8-4f2b3a5f38ed
api://a8573488-ff46-450a-b09a-6eca0c6a02dc/fc4d2d73-
api://<tenantId>/<appId>
d05a-4a9b-85a8-4f2b3a5f38ed
api://<tenantId>/<string> api://a8573488-ff46-450a-b09a-6eca0c6a02dc/api
api://<string>/<appId> api://productapi/fc4d2d73-d05a-4a9b-85a8-4f2b3a5f38ed
https://<tenantInitialDomain>.onmicro https://contoso.onmicrosoft.com/product
soft.com/<string> sapi
https://<verifiedCustomDomain>/<stri https://contoso.com/productsapi
ng>
https://<string>.<verifiedCustomDom https://product.contoso.com
ain>
https://<string>.<verifiedCustomDom https://product.contoso.com/productsapi
ain>/<string>
• <appId> - The application identifier (appId) property of the application object.
• <string> - The string value for the host or the api path segment.
• <tenantId> - A GUID generated by Azure to represent the tenant within Azure.
• <tenantInitialDomain> - <tenantInitialDomain>.onmicrosoft.com, where
<tenantInitialDomain> is the initial domain name the tenant creator specified at tenant
creation.
• <verifiedCustomDomain> - A verified custom domain configured for your Azure AD tenant.
Example:
JSON
"identifierUris": "https://contoso.onmicrosoft.com/fc4d2d73-d05a-4a9b-85a8-
4f2b3a5f38ed",

informationalUrls attribute
informationalUrls attribute
Key Value type
informationalUrls String
Specifies the links to the app's terms of service and privacy statement. The terms of service and
privacy statement are surfaced to users through the user consent experience. For more info, see
How to: Add Terms of service and privacy statement for registered Azure AD apps.
Example:
JSON
 "informationalUrls": {
"termsOfService": "https://MyRegisteredApp/termsofservice",
"support": "https://MyRegisteredApp/support",
"privacy": "https://MyRegisteredApp/privacystatement",
"marketing": "https://MyRegisteredApp/marketing"
},

keyCredentials attribute
keyCredentials attribute
Key Value type
keyCredentials Collection
Holds references to app-assigned credentials, string-based shared secrets and X.509 certificates.
These credentials are used when requesting access tokens (when the app is acting as a client rather
that as a resource).
Example:
JSON
"keyCredentials": [
{
"customKeyIdentifier":null,
"endDate":"2018-09-13T00:00:00Z",
"keyId":"<guid>",
"startDate":"2017-09-12T00:00:00Z",
"type":"AsymmetricX509Cert",
"usage":"Verify",
"value":null
}
],

knownClientApplications attribute
knownClientApplications attribute
Key Value type
knownClientApplications String Array
Used for bundling consent if you have a solution that contains two parts: a client app and a custom
web API app. If you enter the appID of the client app into this value, the user will only have to
consent once to the client app. Azure AD will know that consenting to the client means implicitly
consenting to the web API. It will automatically provision service principals for both the client and
web API at the same time. Both the client and the web API app must be registered in the same
tenant.
Example:
JSON
"knownClientApplications": ["f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd"],

logoUrl attribute
logoUrl attribute
Key Value type
logoUrl String
Read only value that points to the CDN URL to logo that was uploaded in the portal.
Example:
JSON
"logoUrl": "https://MyRegisteredAppLogo",

logoutUrl attribute
logoutUrl attribute
Key Value type
logoutUrl String
The URL to log out of the app.
Example:
JSON
"logoutUrl": "https://MyRegisteredAppLogout",

name attribute
name attribute
Key Value type
name String
The display name for the app.
Example:
JSON
"name": "MyRegisteredApp",

oauth2AllowImplicitFlow attribute
oauth2AllowImplicitFlow attribute
Key Value type
oauth2AllowImplicitFlow Boolean
Specifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is
false. This flag is used for browser-based apps, like JavaScript single-page apps. To learn more,
enter OAuth 2.0 implicit grant flow in the table of contents and see the topics about
implicit flow.
Example:
JSON
"oauth2AllowImplicitFlow": false,
oauth2AllowIdTokenImplicitFlow attribute
oauth2AllowIdTokenImplicitFlow attribute
Key Value type
oauth2AllowIdTokenImplicitFlow Boolean
Specifies whether this web app can request OAuth2.0 implicit flow ID tokens. The default is false.
This flag is used for browser-based apps, like JavaScript single-page apps.
Example:
JSON
"oauth2AllowIdTokenImplicitFlow": false,

oauth2Permissions attribute
oauth2Permissions attribute
Key Value type
oauth2Permissions Collection
Specifies the collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to
client apps. These permission scopes may be granted to client apps during consent.
Example:
JSON
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the app to access resources on
behalf of the signed-in user.",
"adminConsentDisplayName": "Access resource1",
"id": "<guid>",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the app to access resource1 on your
behalf.",
"userConsentDisplayName": "Access resources",
"value": "user_impersonation"
}
],

oauth2RequiredPostResponse attribute
Key Value type
oauth2RequiredPostResponse Boolean
Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as
opposed to GET requests. The default is false, which specifies that only GET requests will be
allowed.
Example:
JSON
"oauth2RequirePostResponse": false,
parentalControlSettings attribute
Key Value type
parentalControlSettings String
• countriesBlockedForMinors specifies the countries/regions in which the app is
blocked for minors.
• legalAgeGroupRule specifies the legal age group rule that applies to users of the app.
Can be set to Allow, RequireConsentForPrivacyServices,
RequireConsentForMinors, RequireConsentForKids, or BlockMinors.

Example:
JSON
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},

passwordCredentials attribute
Key Value type
passwordCredentials Collection
See the description for the keyCredentials property.

Example:
JSON
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2018-10-19T17:59:59.6521653Z",
"keyId": "<guid>",
"startDate":"2016-10-19T17:59:59.6521653Z",
"value":null
}
],

preAuthorizedApplications attribute
Key Value type
preAuthorizedApplications Collection
Lists applications and requested permissions for implicit consent. Requires an admin to have
provided consent to the application. preAuthorizedApplications do not require the user to consent to
the requested permissions. Permissions listed in preAuthorizedApplications do not require user
consent. However, any additional requested permissions not listed in preAuthorizedApplications
require user consent.
Example:
JSON
"preAuthorizedApplications": [
{
"appId": "abcdefg2-000a-1111-a0e5-812ed8dd72e8",
 "permissionIds": [
"8748f7db-21fe-4c83-8ab5-53033933c8f1"
]
}
],

publisherDomain attribute
Key Value type
publisherDomain String
The verified publisher domain for the application. Read-only.
Example:
JSON
"publisherDomain": "{tenant}.onmicrosoft.com",

replyUrlsWithType attribute
Key Value type
replyUrlsWithType Collection
This multi-value property holds the list of registered redirect_uri values that Azure AD will accept
as destinations when returning tokens. Each URI value should contain an associated app type value.
Supported type values are:
• Web
• InstalledClient
• Spa

To learn more, see replyUrl restrictions and limitations.

Example:
JSON
"replyUrlsWithType": [
{
"url":
"https://localhost:4400/services/office365/redirectTarget.html",
"type": "InstalledClient"
}
],

requiredResourceAccess attribute
Key Value type
requiredResourceAccess Collection
With dynamic consent, requiredResourceAccess drives the admin consent experience and
the user consent experience for users who are using static consent. However, this parameter doesn't
drive the user consent experience for the general case.
• resourceAppId is the unique identifier for the resource that the app requires access to.
This value should be equal to the appId declared on the target resource app.
 • resourceAccess is an array that lists the OAuth2.0 permission scopes and app roles that
the app requires from the specified resource. Contains the id and type values of the
specified resources.
Example:
JSON
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],

samlMetadataUrl attribute
Key Value type
samlMetadataUrl String
The URL to the SAML metadata for the app.
Example:
JSON
"samlMetadataUrl": "https://MyRegisteredAppSAMLMetadata",

signInUrl attribute
Key Value type
signInUrl String
Specifies the URL to the app's home page.
Example:
JSON
"signInUrl": "https://MyRegisteredApp",

signInAudience attribute
Key Value type
signInAudience String
Specifies what Microsoft accounts are supported for the current application. Supported values are:
• AzureADMyOrg - Users with a Microsoft work or school account in my organization's
Azure AD tenant (for example, single tenant)
• AzureADMultipleOrgs - Users with a Microsoft work or school account in any
organization's Azure AD tenant (for example, multi-tenant)
 • AzureADandPersonalMicrosoftAccount - Users with a personal Microsoft
account, or a work or school account in any organization's Azure AD tenant
• PersonalMicrosoftAccount - Personal accounts that are used to sign in to services
like Xbox and Skype.
Example:
JSON
"signInAudience": "AzureADandPersonalMicrosoftAccount",

tags attribute
Key Value type
tags String Array
Custom strings that can be used to categorize and identify the application.
Example:
JSON
"tags": [
"ProductionApp"
],

Common issues
Manifest limits
An application manifest has multiple attributes that are referred to as collections; for example,
appRoles, keyCredentials, knownClientApplications, identifierUris, redirectUris,
requiredResourceAccess, and oauth2Permissions. Within the complete application manifest for any
application, the total number of entries in all the collections combined has been capped at 1200. If
you previously specify 100 redirect URIs in the application manifest, then you're only left with
1100 remaining entries to use across all other collections combined that make up the manifest.
Note
In case you try to add more than 1200 entries in the application manifest, you may see an error
"Failed to update application xxxxxx. Error details: The size of the manifest has exceeded its
limit. Please reduce the number of values and retry your request."

Unsupported attributes
The application manifest represents the schema of the underlying application model in Azure AD.
As the underlying schema evolves, the manifest editor will be updated to reflect the new schema
from time to time. As a result, you may notice new attributes showing up in the application
manifest. In rare occasions, you may notice a syntactic or semantic change in the existing attributes
or you may find an attribute that existed previously are not supported anymore. For example, you
will see new attributes in the App registrations, which are known with a different name in the App
registrations (Legacy) experience.
 App registrations (Legacy) App registrations
availableToOtherTenants signInAudience
displayName name
errorUrl -
homepage signInUrl
objectId Id
publicClient allowPublicClient
replyUrls replyUrlsWithType
For descriptions for these attributes, see the manifest reference section.
When you try to upload a previously downloaded manifest, you may see one of the following
errors. This error is likely because the manifest editor now supports a newer version of the schema,
which doesn't match with the one you're trying to upload.
• "Failed to update xxxxxx application. Error detail: Invalid object identifier 'undefined'. []."
• "Failed to update xxxxxx application. Error detail: One or more property values specified
are invalid. []."
• "Failed to update xxxxxx application. Error detail: Not allowed to set
availableToOtherTenants in this api version for update. []."
• "Failed to update xxxxxx application. Error detail: Updates to 'replyUrls' property isn't
allowed for this application. Use 'replyUrlsWithType' property instead. []."
• "Failed to update xxxxxx application. Error detail: A value without a type name was found
and no expected type is available. When the model is specified, each value in the payload
must have a type that can be either specified in the payload, explicitly by the caller or
implicitly inferred from the parent value. []"
When you see one of these errors, we recommend the following actions:
1. Edit the attributes individually in the manifest editor instead of uploading a previously
downloaded manifest. Use the manifest reference table to understand the syntax and
semantics of old and new attributes so that you can successfully edit the attributes you're
interested in.
2. If your workflow requires you to save the manifests in your source repository for use later,
we suggest rebasing the saved manifests in your repository with the one you see in the App
registrations experience.

Next steps
• For more info on the relationship between an app's application and service principal
object(s), see Application and service principal objects in Azure AD.
• See the Microsoft identity platform developer glossary for definitions of some core
Microsoft identity platform developer concepts.
Use the following comments section to provide feedback that helps refine and shape our content.