az ad app

Manage applications with AAD Graph.

Commands

az ad app create

Create a web application, web API or native application.

az ad app credential

Manage an application's password or certificate credentials.

az ad app credential delete

Delete an application's password or certificate credentials.

az ad app credential list

List an application's password or certificate credentials.

az ad app credential reset

Append or overwrite an application's password or certificate credentials.

az ad app delete

Delete an application.

az ad app list

List applications.

az ad app owner

Manage application owners.

az ad app owner add

Add an application owner.

az ad app owner list

List application owners.

az ad app owner remove

Remove an application owner.

az ad app permission

Manage an application's OAuth2 permissions.

az ad app permission add

Add an API permission.

az ad app permission admin-consent

Grant Application & Delegated permissions through admin-consent.

az ad app permission delete

Remove an API permission.

az ad app permission grant

Grant the app an API Delegated permissions.

az ad app permission list

List API permissions the application has requested.

az ad app permission list-grants

List Oauth2 permission grants.

az ad app show

Get the details of an application.

az ad app update

Update an application.

az ad app create

Create a web application, web API or native application.

az ad app create --display-name
                 [--app-roles]
                 [--available-to-other-tenants {false, true}]
                 [--credential-description]
                 [--end-date]
                 [--homepage]
                 [--identifier-uris]
                 [--key-type {AsymmetricX509Cert, Password, Symmetric}]
                 [--key-usage {Sign, Verify}]
                 [--key-value]
                 [--native-app {false, true}]
                 [--oauth2-allow-implicit-flow {false, true}]
                 [--optional-claims]
                 [--password]
                 [--reply-urls]
                 [--required-resource-accesses]
                 [--start-date]

Examples

Create a native application with delegated permission of "access the AAD directory as the signed-in user"

az ad app create --display-name my-native --native-app --required-resource-accesses @manifest.json
("manifest.json" contains the following content)
[{
    "resourceAppId": "00000002-0000-0000-c000-000000000000",
    "resourceAccess": [
        {
            "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a",
            "type": "Scope"
        }
   ]
}]

Create an application with a role

az ad app create --display-name mytestapp --identifier-uris https://mytestapp.websites.net --app-roles @manifest.json
("manifest.json" contains the following content)
[{
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Approvers can mark documents as approved",
    "displayName": "Approver",
    "isEnabled": "true",
    "value": "approver"
}]

Create an application with optional claims

az ad app create --display-name mytestapp --optional-claims @manifest.json
("manifest.json" contains the following content)
{
    "idToken": [
        {
            "name": "auth_time",
            "source": null,
            "essential": false
        }
    ],
    "accessToken": [
        {
            "name": "email",
            "source": null,
            "essential": false
        }
    ]
}

Required Parameters

--display-name

The display name of the application.

Optional Parameters

--app-roles

Declare the roles you want to associate with your application. Should be in manifest json format. See examples below for details.

--available-to-other-tenants

The application can be used from any Azure AD tenants.

accepted values: false, true
--credential-description

The description of the password.

--end-date

Date or datetime after which credentials expire(e.g. '2017-12-31T11:59:59+00:00' or '2017-12-31'). Default value is one year after current time.

--homepage

The url where users can sign in and use your app.

--identifier-uris

Space-separated unique URIs that Azure AD can use for this app.

--key-type

The type of the key credentials associated with the application.

accepted values: AsymmetricX509Cert, Password, Symmetric
default value: AsymmetricX509Cert
--key-usage

The usage of the key credentials associated with the application.

accepted values: Sign, Verify
default value: Verify
--key-value

The value for the key credentials associated with the application.

--native-app

An application which can be installed on a user's device or computer.

accepted values: false, true
--oauth2-allow-implicit-flow

Whether to allow implicit grant flow for OAuth2.

accepted values: false, true
--optional-claims

Declare the optional claims for the application. Should be in manifest json format. See examples below for details. Please reference https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#optionalclaim-type for optional claim properties.

--password

App password, aka 'client secret'.

--reply-urls

Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. The value does not need to be a physical endpoint, but must be a valid URI.

--required-resource-accesses

Resource scopes and roles the application requires access to. Should be in manifest json format. See examples below for details.

--start-date

Date or datetime at which credentials become valid(e.g. '2017-01-01T01:00:00+00:00' or '2017-01-01'). Default value is current time.

az ad app delete

Delete an application.

az ad app delete --id

Examples

Delete an application. (autogenerated)

az ad app delete --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id.

az ad app list

List applications.

For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".

az ad app list [--all]
               [--app-id]
               [--display-name]
               [--filter]
               [--identifier-uri]
               [--query-examples]
               [--show-mine]

Optional Parameters

--all

List all entities, expect long delay if under a big organization.

--app-id

Application id.

--display-name

The display name of the application.

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--identifier-uri

Graph application identifier, must be in uri format.

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--show-mine

List entities owned by the current user.

az ad app show

Get the details of an application.

az ad app show --id
               [--query-examples]

Examples

Get the details of an application. (autogenerated)

az ad app show --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

az ad app update

Update an application.

az ad app update --id
                 [--add]
                 [--app-roles]
                 [--available-to-other-tenants {false, true}]
                 [--credential-description]
                 [--display-name]
                 [--end-date]
                 [--force-string]
                 [--homepage]
                 [--identifier-uris]
                 [--key-type {AsymmetricX509Cert, Password, Symmetric}]
                 [--key-usage {Sign, Verify}]
                 [--key-value]
                 [--oauth2-allow-implicit-flow {false, true}]
                 [--optional-claims]
                 [--password]
                 [--remove]
                 [--reply-urls]
                 [--required-resource-accesses]
                 [--set]
                 [--start-date]

Examples

update a native application with delegated permission of "access the AAD directory as the signed-in user"

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --required-resource-accesses @manifest.json
("manifest.json" contains the following content)
[{
    "resourceAppId": "00000002-0000-0000-c000-000000000000",
    "resourceAccess": [
        {
            "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a",
            "type": "Scope"
        }
   ]
}]

declare an application role

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json
("manifest.json" contains the following content)
[{
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Approvers can mark documents as approved",
    "displayName": "Approver",
    "isEnabled": "true",
    "value": "approver"
}]

update optional claims

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --optional-claims @manifest.json
("manifest.json" contains the following content)
{
    "idToken": [
        {
            "name": "auth_time",
            "source": null,
            "essential": false
        }
    ],
    "accessToken": [
        {
            "name": "email",
            "source": null,
            "essential": false
        }
    ]
}

update an application's group membership claims to "All"

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --set groupMembershipClaims=All

Required Parameters

--id

Identifier uri, application id, or object id.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--app-roles

Declare the roles you want to associate with your application. Should be in manifest json format. See examples below for details.

--available-to-other-tenants

The application can be used from any Azure AD tenants.

accepted values: false, true
--credential-description

The description of the password.

--display-name

The display name of the application.

--end-date

Date or datetime after which credentials expire(e.g. '2017-12-31T11:59:59+00:00' or '2017-12-31'). Default value is one year after current time.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--homepage

The url where users can sign in and use your app.

--identifier-uris

Space-separated unique URIs that Azure AD can use for this app.

--key-type

The type of the key credentials associated with the application.

accepted values: AsymmetricX509Cert, Password, Symmetric
default value: AsymmetricX509Cert
--key-usage

The usage of the key credentials associated with the application.

accepted values: Sign, Verify
default value: Verify
--key-value

The value for the key credentials associated with the application.

--oauth2-allow-implicit-flow

Whether to allow implicit grant flow for OAuth2.

accepted values: false, true
--optional-claims

Declare the optional claims for the application. Should be in manifest json format. See examples below for details. Please reference https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#optionalclaim-type for optional claim properties.

--password

App password, aka 'client secret'.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--reply-urls

Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. The value does not need to be a physical endpoint, but must be a valid URI.

--required-resource-accesses

Resource scopes and roles the application requires access to. Should be in manifest json format. See examples below for details.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--start-date

Date or datetime at which credentials become valid(e.g. '2017-01-01T01:00:00+00:00' or '2017-01-01'). Default value is current time.