Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn how to configure app management policies in Microsoft Entra ID to control how app owners and administrators can configure applications and service principals in your organization. This guidance helps administrators reduce security risks caused by insecure configurations.
The set of restrictions available to configure includes:
| Restriction name | Description | Security value | Availability |
|---|---|---|---|
| asymmetricKeyLifetime | Enforce a max lifetime range for an asymmetric key (certificate). | Reduces security risk from long-lived credentials | Can be configured through app management policy APIs and the Microsoft Entra admin center. Referred to as Restrict max certificate lifetime in the Microsoft Entra admin center. |
| audiences | Restricts creation or promotion of apps based on signInAudience values. | Prevents unsanctioned multitenant or consumer-facing applications | Can be configured through app management policy APIs |
| customPasswordAddition | Restrict a custom password secret on application or service principal. | Prevents new user-provided app passwords, which are more easily compromised than system-generated ones | Can be configured through app management policy APIs and the Microsoft Entra admin center. Referred to as Block custom passwords in the Microsoft Entra admin center. |
| nonDefaultUriAddition | Block new identifier URIs for apps unless they're one of the default formats api://{appId} or api://{tenantId}/{appId}. |
Reduces security risk from improper audience validation | Can be configured through app management policy APIs and the Microsoft Entra admin center. Referred to as Block custom identifier URIs in the Microsoft Entra admin center. |
| uriAdditionWithoutUniqueTenantIdentifier | Block new identifier URIs for apps unless they're one of the secure formats. | Reduces security risk from audience overlap | Can be configured through app management policy APIs and the Microsoft Entra admin center. Referred to as Block identifier URIs without unique tenant identifier in the Microsoft Entra admin center. |
| passwordAddition | Block the addition of new passwords (also referred to as secrets) on applications altogether. | Prevents new passwords, which are the most easily compromised form of credential | Can be configured through app management policy APIs and the Microsoft Entra admin center. In the Microsoft Entra admin center, combined with the symmetricKeyAddition restriction under the Block password addition setting. |
| passwordLifetime | Enforce a max lifetime range for a password secret. | Reduces security risk from long-lived credentials | Can be configured through app management policy APIs and the Microsoft Entra admin center. In the Microsoft Entra admin center, combined with the symmetricKeyLifetime restriction under the Restrict max password lifetime setting. |
| symmetricKeyAddition | Restrict symmetric keys on applications. | Prevents new symmetric keys, which are effectively passwords - the most easily compromised form of credential | Can be configured through app management policy APIs and the Microsoft Entra admin center. In the Microsoft Entra admin center, combined with the passwordAddition restriction under the Block password addition setting. |
| symmetricKeyLifetime | Enforce a max lifetime range for a symmetric key. | Reduces security risk from long-lived credentials | Can be configured through app management policy APIs and the Microsoft Entra admin center. In the Microsoft Entra admin center, combined with the passwordLifetime restriction under the Restrict max password lifetime setting. |
| trustedCertificateAuthority | Block new certificate credentials if the issuer isn't listed in the trusted certificate authority list. | Ensures only trusted CAs are used by apps in your tenant | Can be configured through app management policy APIs. |
To learn more about how the app management policy API works, visit the API documentation.
Prerequisites
To configure app management policies, you need:
- A user account. If you don't already have one, you can create an account for free.
- The Security Administrator role, AND the Cloud App Administrator or Application Administrator role. OR, just the Global Administrator role.
Configure a restriction
You can configure app management policies in Microsoft Entra ID using the Microsoft Entra admin center.
Enable a restriction for all applications
This example blocks the addition of new passwords on all applications and service principals in your organization. A similar process can be used to enable other restrictions.
Microsoft Entra admin center
To block new passwords using the Microsoft Entra admin center:
Sign in to the Microsoft Entra admin center.
Browse to Entra ID > Enterprise apps > Application policies.
Select Block password addition.
Set the status to On. Ensure the 'Applies to' field is set to All applications.
Select Save to save your settings.
Grant an exception to an application
Sometimes, exceptions are needed to your tenant-wide rules. This example grants an app an exception to the restriction blocking custom identifier URIs, so it can still have custom URIs added to it. A similar process can be followed for other restrictions.
Microsoft Entra admin center
To grant an app an exception to the restriction blocking custom identifier URIs using the Microsoft Entra admin center:
Sign in to the Microsoft Entra admin center.
Browse to Entra ID > Enterprise apps > Application policies.
Select Block custom identifier URIs.
Ensure the status is On. Set the 'Applies to' field to All applications with exclusions.
Under Excluded apps, select Add applications.
Choose the application you'd like to exclude from the restriction.
Select Save to save your settings.
Grant an exception to a user or service
Sometimes, exceptions need to be granted to the user or service creating or modifying the application. For example, imagine an automated process in your organization periodically creates applications and sets passwords on them. You want to block the new passwords in your organization, but you don't want to break this automated process while you're working on updating it. Application exceptions wouldn't work in this case, because the apps being created/updated don't exist yet! Instead, you can apply an exception to the process itself.
This type of exception - sometimes labeled an 'actor' or 'caller' exception - is configured using custom security attributes. Because of this, you need two additional roles for this scenario, in addition to the roles from prerequisites.
This example grants a service an exception to the restriction enforcing a max lifetime on new certificates it adds to other applications and service principals. The service will be represented by its service principal. Find the service principal for a service by searching for it in Enterprise applications.
Microsoft Entra admin center
Sign in to the Microsoft Entra admin center.
Browse to Entra ID > Enterprise apps > Application policies.
Select Restrict max certificate lifetime.
Ensure the status is On. Set the 'Applies to' field to All applications with exclusions.
Under Excluded callers, select Add excluded callers.
Choose the user or service principal whose calls to create/update apps you'd like to exclude from the restriction.
Select Save to save your settings.
Apply a restriction to a specific application
Sometimes, you aren't ready to apply a restriction to your entire tenant, but still want to apply the rule to a select set of security-sensitive applications. This example applies the restriction blocking custom passwords to a single application. A similar process can be followed for other restrictions.
Microsoft Entra admin center
Sign in to the Microsoft Entra admin center.
Browse to Entra ID > Enterprise apps > Application policies.
Select Block custom passwords.
Ensure the status is On. Set the 'Applies to' field to Select applications.
Select Add applications.
Choose the application you'd like to apply the restriction to.
Select Save to save your settings.
View your custom policies
Custom policies are applied to specific applications and service principals. They're used to override the tenant-wide configuration for a specific app. You can learn more about that here.
The Microsoft Entra admin center automatically configures custom policies for you based on your intent. For example, if you want to grant an exemption to a restriction for a specific app, the Microsoft Entra admin center crafts the custom policy with that behavior behind the scenes, and assigns it to the application.
Because of this, the list of custom policies can't be viewed directly in the Microsoft Entra admin center.
Microsoft Entra admin center
The list of custom policies can't be viewed directly in the Microsoft Entra admin center.
Fix your policy state for use in the Microsoft Entra admin center
If you have ever configured your app management policies outside of the Microsoft Entra admin center, you might have configured them in a way the portal doesn't expect. If so, when loading a restriction, you'll see an error message like:
The restriction have been modified outside of this interface. To prevent data loss, editing is disabled until restrictions are synchronized.
Microsoft Entra admin center
This can't be done using the Microsoft Entra admin center.