Add Application Registration

Description

This runbook creates a new application registration in Microsoft Entra ID and optionally configures redirect URIs and SAML settings. It validates the submitted parameters, prevents duplicate app creation, and writes verbose logs for troubleshooting. Use it to standardize application registration setup, including visibility and assignment-related options.

Location

Organization → Applications → Add Application Registration

Full Runbook name

rjgit-org_applications_add-application-registration

Permissions

Application permissions

• Type: Microsoft Graph

  • Application.ReadWrite.OwnedBy

  • Organization.Read.All

  • Group.ReadWrite.All

RBAC roles

• Application Developer

Parameters

ApplicationName

The display name of the application registration to create.

RedirectURI

Used for UI selection only. Determines which redirect URI type to configure - None, Web, SPA, or Public Client

signInAudience

Specifies who can use the application. Defaults to "AzureADMyOrg" (single tenant).

webRedirectURI

Redirect URI or URIs for web applications. Multiple values can be separated by semicolons.

spaRedirectURI

Redirect URI or URIs for single-page applications. Multiple values can be separated by semicolons.

publicClientRedirectURI

Redirect URI or URIs for public client/native applications. Multiple values can be separated by semicolons.

EnableSAML

If set to true, SAML-based authentication is configured for the application. If enabled, additional SAML-related parameters become required.

SAMLReplyURL

The reply URL for SAML-based authentication

SAMLSignOnURL

The sign-on URL for SAML authentication.

SAMLLogoutURL

The logout URL for SAML authentication.

SAMLIdentifier

The SAML identifier (Entity ID). If not specified, defaults to "urn:app:{AppId}".

SAMLRelayState

The SAML relay state parameter for maintaining application state during authentication.

SAMLExpiryNotificationEmail

Email address to receive notifications when the SAML token signing certificate is about to expire.

SAMLCertificateLifeYears

Lifetime of the SAML token signing certificate in years. Default is 3 years.

isApplicationVisible

Determines whether the application is visible in the My Apps portal. Default is true.

UserAssignmentRequired

Determines whether users must be assigned to the application before accessing it. When enabled, an EntraID group is created for user assignment. Default is false.

groupAssignmentPrefix

Prefix for the automatically created EntraID group when UserAssignmentRequired is enabled. Default is "col - Entra - users - ".

implicitGrantAccessTokens

Enable implicit grant flow for access tokens. Default is false.

implicitGrantIDTokens

Enable implicit grant flow for ID tokens. Default is false.

Back to Runbook Reference overview