Add Application Registration

Description

This script creates a new application registration in Azure Active Directory (Entra ID) with comprehensive configuration options.

The script validates input parameters, prevents duplicate application creation, and provides comprehensive logging throughout the process. For SAML applications, it automatically configures reply URLs, sign-on URLs, logout URLs, and certificate expiry notifications.

Location

Organization → Applications → Add Application Registration

Permissions

Application permissions

• Type: Microsoft Graph

  • Application.ReadWrite.OwnedBy

  • Organization.Read.All

  • Group.ReadWrite.All

RBAC roles

• Application Developer

Parameters

ApplicationName

The display name of the application registration to create.

RedirectURI

Used for UI selection only. Determines which redirect URI type to configure (None, Web, SAML, Public Client, or SPA).

signInAudience

Specifies who can use the application. Default is "AzureADMyOrg" (single tenant). Hidden in UI.

webRedirectURI

Redirect URI(s) for web applications. Supports multiple URIs separated by semicolons (e.g., "https://app1.com/auth;https://app2.com/auth").

spaRedirectURI

Redirect URI(s) for single-page applications (SPA). Supports multiple URIs separated by semicolons.

publicClientRedirectURI

Redirect URI(s) for public client/native applications (mobile & desktop). Supports multiple URIs separated by semicolons (e.g., "myapp://auth").

EnableSAML

Enable SAML-based authentication for the application. When enabled, SAML-specific parameters are required.

SAMLReplyURL

The reply URL for SAML authentication. Required when EnableSAML is true.

SAMLSignOnURL

The sign-on URL for SAML authentication.

SAMLLogoutURL

The logout URL for SAML authentication.

SAMLIdentifier

The SAML identifier (Entity ID). If not specified, defaults to "urn:app:{AppId}".

SAMLRelayState

The SAML relay state parameter for maintaining application state during authentication.

SAMLExpiryNotificationEmail

Email address to receive notifications when the SAML token signing certificate is about to expire.

SAMLCertificateLifeYears

Lifetime of the SAML token signing certificate in years. Default is 3 years.

isApplicationVisible

Determines whether the application is visible in the My Apps portal. Default is true.

UserAssignmentRequired

Determines whether users must be assigned to the application before accessing it. When enabled, an EntraID group is created for user assignment. Default is false.

groupAssignmentPrefix

Prefix for the automatically created EntraID group when UserAssignmentRequired is enabled. Default is "col - Entra - users - ".

implicitGrantAccessTokens

Enable implicit grant flow for access tokens. Default is false.

implicitGrantIDTokens

Enable implicit grant flow for ID tokens. Default is false.

Back to Runbook Reference overview