Specify optional requirements for your app - Microsoft Entra (2023)

  • Article

You can use optional requirements to:

  • Select requirements to include in the tokens for your application.
  • Change the behavior of certain assertions that the Microsoft identity platform returns in tokens.
  • Add and access custom requirements for your application.

For lists of standard requirements, seeaccess tokenAndid_tokendamage documentation.

While optional claims are supported in both v1.0 and v2.0 format tokens and SAML tokens, they provide most of their value in the v1.0 to v2.0 transition. Smaller token sizes are used in the Microsoft identity platform to ensure optimal client performance. As a result, several requirements previously contained in access and ID tokens are no longer present in v2.0 tokens and must be requested specifically by application.

Account typev1.0-Tokenv2.0-Token
Personal Microsoft accountN / ASupports
Azure AD-KontoSupportsSupports

v1.0 and v2.0 optional requirement set

The optional requirements available by default for applications are listed in the table below. You can use custom data in extension attributes and library extensions to add optional requirements to your application. If you add requirements to the access token, the requirements apply to the requested access tokensTothe application (a web API), no solicited claimsvonthe application. Regardless of how the client accesses your API, the correct data is contained in the access token used to authenticate against your API.


Most of these claims can be included in JWTs for v1.0 and v2.0 tokens, but not for SAML tokens unless specified in the Token Type column. User accounts support a subset of these claims, marked in the User Type column. Many of the claims made do not apply to consumer users (so they have no tenants).Tenant_Ctryhas no value).

The following table shows the v1.0 and v2.0 optional requirement set.

NameDescriptionToken-TypUser typeNote
ihtUser account status in tenantJWT, SAMLIf the user is a member of the tenant, the value is0. If you are a guest, that's the value1.
auth_timeTime of the last authentication of the user.JWT
ctryUser country/regionJWTThis requirement is returned if it exists and the value of the field is a standard two-letter country/territory code, e.g. e.g. FR, JP, SZ etc.
EmailThe reported email address for this userJWT, SAMLMSA, Azure ADThis value is included if the user is a guest in the tenant. For managed users (the users within the tenant) this must be requested via this optional claim or, for version 2.0 only, with the OpenID scope. This value is not guaranteed to be correct and may change over time. Never use it to authorize or store data for a user. For more information, seeSecure applications and APIs with claims validation. If you require an addressable email address in your app, request that data directly from the user by using this claim as a suggestion or by pre-populating your UX.
forwardIP AddressJWTAdds the requesting client's native IPv4 address (if it is in a VNet).
The groupOptional formatting for group requirementsJWT, SAMLTheThe groupClaims are used with the GroupMembershipClaims i optionapplication manifest, which must also be set.
idtypTokentypJWT access tokenSpecialty: Only in-app access tokensThe value isAppif the token is an app-only token. This assertion is the most accurate way for an API to determine whether a token is an app token or an app+user token.
login_hintLogin-TippJWTMSA, Azure ADAn opaque trusted credential hint assertion that is Base64 encoded. Do not edit this value. This claim is the best value to use it forlogin_hintOAuth parameters in all flows to get SSO. It can be passed between applications to help them with silent SSO as well - Application A can log in and read a userlogin_hintClaim and then pass the claim and the current tenant context to Application B in the query string or fragment when the user selects a link that takes them to Application B. To avoid race conditions and reliability issues,login_hintclaimdo not do itContains the current tenant for the user and defaults to the user's home tenant when used. In a guest scenario where the user belongs to a different tenant, a tenant ID must be provided in the login request. and share the same to apps you collaborate with. This requirement is for use with your existing SDKlogin_hintFunctionality, but that revealed it.
PageSession ID used to log users out SessionJWTPersonal and Azure AD accounts.
Tenant_CtryResource tenant country/regionJWTSame asctryexcept set at the tenant level by an administrator. Must also be a default two-letter value.
Tenant_Region_ScopeThe region of the resource tenantJWT
upnUPNJWT, SAMLAn identifier for the user to use withusername_tipParameter. Not a persistent identifier for the user and should not be used for authorization or to uniquely identify user information (e.g. as a database key). Instead, use the user object ID (oid) as database key. For more information, seeSecure applications and APIs with claims validation. Users who log in with aalternative Login IDshould not display their username (UPN). Instead, use the following ID token claim to show the user the login status:preferred usernameorunique namefor v1 tokens andpreferred usernamefor v2 tokens. Although this requirement is automatically included, you can specify it as an optional requirement to attach other properties to change behavior in the guest user case. you should uselogin_hintentitlement tologin_hintUsage – Human-readable identifiers like UPN are unreliable.
verified_primary_emailTaken from the user's PrimaryAuthoritative emailJWT
verified_secondary_emailTaken from the user's SecondaryAuthoritative emailJWT
eagerInformation about the VNet specification.JWT
xms_cccustomer competenceJWTAzure ADIndicates whether the client application that acquired the token can process claim challenges. Service applications (resource servers) can use this requirement to authorize access to protected resources. This assertion is commonly used in conditional access and continuous access evaluation scenarios. The service application that issues the token verifies the existence of the claim in it. This optional requirement must be configured as part of the service app registration. For more information, seeRequirement Challenges, Requirement Requests and Customer Capabilities.
xms_pdlPreferred data storage locationJWTFor multi-geo tenants, the preferred data location is the three-letter code that identifies the geographic area where the user is located. For more information, seeAzure AD Connect documentation on preferred data location.
xms_plUses the preferred languageJWTThe user's preferred language, if set. Received from tenant at home in guest access scenarios. Formatted LL-CC ("en-us").
xms_tplTenant preferred languageJWTThe resource tenant's preferred language, if specified. Formatted LL (“one”).
ztdidZero-Touch-Implementierungs-IDJWTThe identity of the device used forWindows-AutoPilot.


never useEmailorupnAssert values ​​for storing or determining whether the user should have access to data in an access token. Fluctuating claim values ​​like these can change over time, making them uncertain and unreliable for approval.

v2.0 specific optional requirement set

These requirements are always included in v1.0 tokens, but not in v2.0 tokens unless requested. These requirements only apply to JWTs (ID tokens and access tokens).

(Video) Build your first Web App with Microsoft Azure

JWT assertionNameDescriptionNote
ipaddrIP AddressThe IP address from which the client logged in.
onprem_sidLocal Security ID
pwd_expPassword expiry timeThe number of seconds after time iiatRequirements where the password expires. This requirement only applies if the password is about to expire (as defined by "notification days" in the password policy).
pwd_urlChange Password URLA URL that the user can visit to change their password. This requirement only applies if the password is about to expire (as defined by "notification days" in the password policy).
in_corpInde i Corporate NetworkSignals whether the client is logging on from the company network. If this is not the case, the claim is not included.Related totrusted IPsSettings in MFA.
family namesurname, surnameReturns the user's last name, last name, or family name as defined in the user object. E.g."Family name": "Miller".Supported in MSA and Azure AD. requirementsProfileScope.
First nameFirst nameReturns the user's first or "given" name as specified in the user object. E.g.„given_name“: „Frank“.Supported in MSA and Azure AD. requirementsProfileScope.
upnUser's primary nameAn identifier for the user to use withusername_tipParameter. Not a persistent identifier for the user and should not be used for authorization or to uniquely identify user information (e.g. as a database key). For more information, seeSecure applications and APIs with claims validation. Instead, use the user object ID (oid) as database key. Users who log in with aalternative Login IDshould not display their username (UPN). Use the following insteadpreferred usernameRequest to show the login status to the user.requirementsProfileScope.

v1.0 specific optional requirement set

Some of the improvements to the v2 token format are available to apps that use the v1 token format because they help improve security and reliability. These improvements only apply to JWTs, not SAML tokens.

JWT assertionNameDescriptionNote
audAudienceAlways present in JWTs, but in v1 access tokens it can be emitted in different ways - any AppID URI, with or without a trailing slash, and the client ID of the resource. It can be difficult to encode this randomization when performing token validation. Useadditional propertiesfor this assertion to ensure that it is always set to the resource's client id in the v1 access token.v1 JWT access tokens only
preferred usernamePreferred usernameProvides the preferred username request within v1 tokens. This assertion makes it easier for apps to provide username hints and display human-readable display names, regardless of their token type. It is recommended to use this optional assertion instead of using:upnorunique name.v1 ID token and access token

additional propertiesof optional requirements

Some optional claims can be configured to change how the claim is returned. Thisadditional propertiesMainly used to support migration of on-premises applications with different data expectations. E.g.include_externally_authenticated_upn_without_hashhelps with clients that can't handle hash tags (#) i UPN.

Name of the propertyadditional propertyNameDescription
upnCan be used for both SAML and JWT responses, as well as v1.0 and v2.0 tokens.
include_externally_authenticated_upnContains the guest UPN as stored in the resource tenant. E.g.foo_hometenant.com#EXT#@resourcetenant.com.
include_externally_authenticated_upn_without_hashThe same as previously mentioned, except that the hash symbols (#) are replaced by underscores (_), For examplefoo_hometenant.com_EXT_@resourcetenant.com.
audIn v1 access tokens, this assertion is used to change the format ofaudClaim. This assertion has no effect on v2 tokens or the version ID tokens in whichaudThe claim is always the client ID. Use this configuration to ensure your API can perform audience validation more easily. Like all optional requirements that affect the access token, the resource must specify this optional requirement in the request because resources own the access token.
use_guideReturns the resource (API) client ID in GUID format asaudRequirement always instead of being runtime dependent. For example, if a resource sets this flag and its client id isbb0a297b-6a42-4a55-ac40-09a501456577, any app that requests an access token for that resource will get an access token with itaud:bb0a297b-6a42-4a55-ac40-09a501456577. Without these requirements, an API could get tokens with aaudclaim aboutapi://MyApi.com,api://MyApi.com/,api://myapi.com/AdditionalRegisteredFieldor any other value specified as the App ID URI for this API and the client ID of the resource.

additional propertiesExample

„optionalClaims“: { „idToken“: [ { „name“: „upn“, „essential“: false, „additionalProperties“: [ „include_externally_authenticated_upn“ ] } ]}

This oneoptional requirementsThe object causes the ID token returned to the client to contain aupnRequirements with the other apartment tenants and resource tenant information. TheupnThe claim only changes in the token if the user is a guest in the tenant (and uses a different IDP to authenticate).

Configure optional requirements


Access tokens arealwaysGenerated using the resource's manifest, not the client's. In the request...scope=https://graph.microsoft.com/user.read..., the resource is the Microsoft Graph API. The access token is created using the Microsoft Graph API manifest, not the client's manifest. If you change the manifest for your application, the tokens for the Microsoft Graph API will never look different. To confirm that youraccess tokenWhen the changes take effect, request a token for your application, not another app.

You can configure optional requirements for your application through the Azure portal or the application manifest.

  1. Go toAzure-Portal.
  2. Search and selectAzure Active Directory.
  3. Undercontrol, ChooseApp Registrations.
  4. Select the application for which you want to configure optional requirements based on your scenario and desired outcome.
  5. Undercontrol, Choosetoken configuration.
    • The UI settingtoken configurationBlade is not available for apps registered in an Azure AD B2C tenant. This can be configured by changing the application manifest. For more information, seeAdd requirements and customize user input using custom policies in Azure Active Directory B2C

Configure requirements using the manifest:

  1. chooseAdd optional requirement.

  2. Select the token type you want to configure.

  3. Select the optional requirements to add.

  4. chooseAdd to.

  5. Undercontrol, ChooseManifest. A web-based manifest editor will open where you can edit the manifest. You can choose optionalPick upand edit the manifest locally and then use ituploadto reuse it in your application.

    The following application manifest entry addsauth_time,ipaddr, Andupnoptional requirements for ID, access, and SAML tokens.

    (Video) Introduction to Azure AD Custom claims providers (part one)

    „optionalClaims“: { „idToken“: [ { „name“: „auth_time“, „essential“: false } ], „accessToken“: [ { „name“: „ipaddr“, „essential“: false } ], „ saml2Token": [ { "name": "upn", "essential": false }, { "name": "extension_ab603c56068041afb2f6832e2a17e237_skypeId", "source": "user", "essential": false } ]}
  6. When you're done, selectSave. Now the specified optional requirements are included in the tokens for your application.

Theoptional requirementsThe object declares the optional requirements requested by an application. An application can configure optional claims that are returned in ID tokens, access tokens, and SAML 2 tokens. The application can configure a different set of optional claims to be returned in each token type.

idTokencollectionThe optional claims are returned in the JWT ID token.
access tokencollectionThe optional claims returned in the JWT access token.
saml2TokencollectionThe optional claims returned in the SAML token.

If supported by a specific requirement, you can also change the behavior of the optional requirementadditional propertiesTo mark.

NameEdm.StringThe name of the optional requirement.
ThoseEdm.StringThe source (catalog item) for the claim. There are predefined requirements and custom requirements from extension properties. If the source value is null, the requirement is a predefined optional requirement. If the source value is user, the value in the name property is the extension property of the user object.
importantEdm.BooleanIf true, the client-specified request is required to ensure proper authentication for the specific task requested by the end-user. The default is false.
additional propertiesCollection (Edm.String)Other features of the claim. If a property is present in this collection, it changes the behavior of the optional requirement specified in the name property.

Configure optional library expansion requests

In addition to the standard optional requirements, you can also configure tokens to include Microsoft Graph extensions. For more information, seeAdd custom data to resources using extensions.

Optional requirements support extension attributes and directory extensions. This feature is useful for attaching more user information that your app can use. For example other identifiers or important configuration options set by the user. If your application manifest requests a custom extension and an MSA user logs in to your app, those extensions will not be returned.

Format folder extension

When configuring optional address extension requests using the application manifest, use the full name of the extension (in the format:Extension___). Theis the stripped-down version of the appid (or clientid) of the application making the claim.

Within the JWT, these claims are issued with the following naming format:extn.. Within the SAML tokens, these claims are issued using the following URI format:http://schemas.microsoft.com/identity/claims/extn.

Configure groups of optional requirements

This section covers the configuration options under Optional Claims to change the group attributes used in group claims from the default group object ID to attributes synchronized from local Windows Active Directory. You can configure groups of optional requirements for your application through the Azure portal or the application manifest. Optional group claims are only issued in the JWT for user policies. Service principals are not included in optional group claims issued in JWT.


The number of groups emitted in a token is limited to 150 for SAML assertions and 200 for JWT, including nested groups. For more information about group limits and important limitations when grouping claims from local attributes, seeConfigure group claims for applications using Azure AD.

To configure groups of optional requirements using the Azure portal, complete the following steps:

  1. login inAzure-Portal.
  2. Once approved, choose your tenant by selecting them in the top right corner of the page.
  3. Search and selectAzure Active Directory.
  4. Undercontrol, ChooseApp Registrations.
  5. From the list, select the program for which you want to configure optional requirements.
  6. Undercontrol, Choosetoken configuration.
  7. chooseAdd requirement groups.
  8. Select the group types to return (security groups, ordirectory role,All groupsand orGroups assigned to the application):
    • TheGroups assigned to the applicationThe setting includes only groups assigned to the application. TheGroups assigned to the applicationThis option is recommended for large organizations due to the group count limitation in the token. To change the groups assigned to the application, disable the applicationbusiness applicationsList. chooseUsers and Groupsand thenAdd user/group. Select the group(s) you want to add to the applicationUsers and Groups.
    • TheAll groupsoption includedsecurity group,directory role, Anddistribution list, but notGroups assigned to the application.
  9. Optional: Select the specific token type properties to change the group claim value to include local group attributes or to change the claim type to a role.
  10. chooseSave.

To configure groups of optional requirements through the application manifest, complete the following steps:

  1. login inAzure-Portal.

    (Video) How to Use Optional Parameters in Microsoft Access VBA

  2. Once approved, choose your Azure AD tenant by selecting it in the top right corner of the page.

  3. Search and selectAzure Active Directory.

  4. From the list, select the program for which you want to configure optional requirements.

  5. Undercontrol, ChooseManifest.

  6. Using the manifest editor, add the following entry:

    The valid values ​​are:

    • "Everyone" (this option includes SecurityGroup, DirectoryRole, and DistributionList)
    • "Security Group"
    • "Directory Role"
    • "ApplicationGroup" (this option includes only groups assigned to the application)

    For example:

    "groupMembershipClaims": "Security Group"

    By default, group object IDs are emitted in the group claim value. To change the claim value to include local group attributes or to change the claim type to role, useoptional requirementsConfiguration as follows:

  7. Set optional group name configuration requirements.

    If you want groups in the token to include the local group attributes in the optional claim section, specify which token type the optional claim should apply to. You also specify the name of the optional requirement and any other desired properties.

    Multiple token types can be specified:

    • idToken for the OIDC ID token
    • accessToken for OAuth accesstokenet
    • Saml2Token to SAML tokens.

    The Saml2Token type applies to both SAML1.1 and SAML2.0 format tokens.

    For each relevant token type, change the groups that claim usageoptional requirementssection of the manifest. Theoptional requirementsThe schedule is as follows:

    { „name“: „groups“, „source“: null, „essential“: false, „additionalProperties“: []}
    Optional application formWert
    NameMust beThe group
    ThoseNot in use. Omit it or enter null.
    importantNot in use. Omit it or set it to false.
    additional propertiesList of additional properties. Valid options aresame_account_name,dns_domain_and_sam_account_name,netbios_domain_and_sam_account_name,Broadcast_as_rolesAndcloud_displayname.

    Iadditional propertiesjust one ofsame_account_name,dns_domain_and_sam_account_name,netbios_domain_and_sam_account_namenecessary. If there is more than one, the first one is used and all others are ignored. You can also addcloud_displaynameto transfer the display name of the cloud group. This option only works ifRequirements for Group Membershipis set toapplication group.

    (Video) Asp.Net Core Web Application Azure Active Directory (Azure AD) Authentication

    Some applications require group information about the user in the role request. To change the claim type from a group claim to a role claim, addBroadcast_as_rolesToadditional properties. The group values ​​are output in the role claim.

    IfBroadcast_as_rolesis used, any configured application roles assigned to the user are not included in the role request.

The following examples show the manifest configuration for group claims:

Pass groups as group names in OAuth access tokens idnsDomainName\sAMAccountNameFormat.

"optionalClaims": { "accessToken": [ { "name": "groups", "additionalProperties": [ "dns_domain_and_sam_account_name" ] } ]}

Pass group name to returnnetbiosDomæne\sAMAccountNameFormat claimed by the roles in SAML and OIDC identity tokens.

„optionalClaims“: { „saml2Token“: [ { „name“: „groups“, „additionalProperties“: [ „netbios_domain_and_sam_account_name“, „emit_as_roles“ ] } ], „idToken“: [ { „name“: „groups“, „ „additionalProperties“: [ „netbios_domain_and_sam_account_name“, „emit_as_roles“ ] } ]}

Send group names in the formatsame_account_namefor locally synced groups andcloud_displayCloud group name in SAML and OIDC ID tokens for the groups assigned to the application.

„groupMembershipClaims“: „ApplicationGroup“, „optionalClaims“: { „saml2Token“: [ { „name“: „groups“, „additionalProperties“: [ „sam_account_name“, „cloud_displayname“ ] } ], „idToken“: [ { „ name": "groups", "additionalProperties": [ "sam_account_name", "cloud_displayname" ] } ]}

Example of optional requirements

There are several options for updating an application's identity configuration properties to enable and configure optional requirements:

  • You can use the Azure portal
  • You can use the manifest.
  • It is also possible to write an application that usesMicrosoft Graph-APIto update your application. TheOptional RequirementsWriting in the Microsoft Graph API Reference Guide can help you configure the optional requirements.

The following example uses the Azure portal and Azure Manifest to add optional requests for access, identity, and SAML tokens specific to your application. Various optional requirements are added for each token type that the application can receive:

  • The ID tokens contain the federated user's UPN in its full form (_#EXT#@).
  • Access tokens that other clients request for this application include:auth_timeClaim.
  • The SAML tokens includedSkype IDLibrary schema extension (in this example, the app ID for this app).ab603c56068041afb2f6832e2a17e237). The SAML token exposes the Skype IDextension_ab603c56068041afb2f6832e2a17e237_skypeId.

Configure requests in the Azure portal:

  1. login inAzure-Portal.
  2. Once approved, choose your tenant by selecting them in the top right corner of the page.
  3. Search and selectAzure Active Directory.
  4. Undercontrol, ChooseApp Registrations.
  5. From the list, locate and select the program for which you want to configure optional requirements.
  6. Undercontrol, Choosetoken configuration.
  7. chooseAdd optional requirement, chooseIDSelect token typeupnfrom the list of requirements, and then selectAdd to.
  8. chooseAdd optional requirement, chooseAccessSelect token typeauth_timefrom the list of requirements, and then selectAdd to.
  9. From the Token Configuration overview screen, select the pencil icon next to itupn, chooseApproved from outsidetoggle and then selectSave.
  10. chooseAdd optional requirement, chooseSAMLSelect token typeextn.skypeIDfrom the list of requirements (relevant only if you have created an Azure AD user object named skypeID) and then selectAdd to.

Configure requirements in the manifest:

  1. login inAzure-Portal.

  2. Once approved, choose your tenant by selecting them in the top right corner of the page.

  3. Search and selectAzure Active Directory.

  4. From the list, locate and select the program for which you want to configure optional requirements.

    (Video) Azure AD Temporary Access Pass

  5. Undercontrol, ChooseManifestto open the inline manifest editor.

  6. With this editor you can edit the manifest directly. The manifest follows the timetable forapplication unitand automatically formats the manifest when saving. New items are addedoptional requirementsProperty.

    „optionalClaims“: { „idToken“: [ { „name“: „upn“, „essential“: false, „additionalProperties“: [ „include_externally_authenticated_upn“ ] } ], „accessToken“: [ { „name“: „auth_time“ , „essential“: false } ], „saml2Token“: [ { „name“: „extension_ab603c56068041afb2f6832e2a17e237_skypeId“, „source“: „bruger“, „essential“: true } ]}
  7. After you finish updating the manifest, selectSaveto save the manifest.

See also

  • application manifest
  • ID-Token
  • access token

Next Step

  • learn more aboutTokens and Claimsin Microsoft's identity platform.


How do I set up Microsoft Entra? ›

Set up Microsoft Entra Verified ID on your Azure AD tenant. Gather credentials and environment details to set up your sample application, and update the sample application with your verified credential expert card details. Run the sample application and initiate a verifiable credential issuance process.

How to configure required Azure AD graph permissions for an app registration? ›

This article describes the following four methods for configuring required Azure AD Graph permissions for your app registration:
  1. Use the Azure portal to find the APIs your organization uses.
  2. Update the application manifest on the Azure portal.
  3. Use the Microsoft Graph API.
  4. Use the Microsoft Graph PowerShell SDK.
Mar 1, 2023

What is the difference between enterprise application and app registration? ›

In some cases, people even use both terms interchangeably. But, App registration is simply the actual application object where you configure application settings. Whereas Enterprise Application is a representation of the application within a directory.

How do I restrict access to specific users in Azure Web app? ›

Assign the app to users and groups to restrict access

Under Manage, select the Users and groups then select Add user/group. Select the Users selector. A list of users and security groups are shown along with a textbox to search and locate a certain user or group.

What is Microsoft Entra? ›

Microsoft Entra is the vision for identity and access that expands beyond identity and access management with new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity.

How to configure Microsoft Identity Platform? ›

Configure platform settings
  1. In the Azure portal, in App registrations, select your application.
  2. Under Manage, select Authentication.
  3. Under Platform configurations, select Add a platform.
  4. Select Configure to complete the platform configuration.
Nov 13, 2022

How do I add permissions to Azure AD Enterprise Application? ›

To review application permissions:
  1. Sign in to the Azure portal using one of the roles listed in the prerequisites section.
  2. Select Azure Active Directory, and then select Enterprise applications.
  3. Select the application that you want to restrict access to.
  4. Select Permissions.
Mar 28, 2023

How do I assign permissions to an application in Azure? ›

Assign app roles to applications
  1. Sign in to the Azure portal.
  2. In Azure Active Directory, select App registrations in the left-hand navigation menu.
  3. Select All applications to view a list of all your applications. ...
  4. Select the application to which you want to assign an app role.
  5. Select API permissions > Add a permission.
May 15, 2023

How do I enable Azure app Configuration? ›

Configure general settings. In the Azure portal, search for and select App Services, and then select your app. In the app's left menu, select Configuration > General settings. Here, you can configure some common settings for the app.

What are the 4 major applications for enterprise applications? ›

There are four major enterprise applications:
  • Enterprise systems.
  • Supply chain management systems.
  • Customer relationship management systems.
  • Knowledge management systems.

What are the three types of enterprise application? ›

Major types of enterprise software. Currently, there are distinguished three main types of enterprise systems: customer relationships management (CRM), enterprise resource planning (ERP), and supply chain management (SCM).

What makes an app enterprise application? ›

An enterprise application (EA) is a large software system platform typically designed to operate in a corporate environment such as business or government. Enterprise application software integrates computer systems that run all phases of a company's operations.

How does Azure prevent unauthorized access to customer applications and data? ›

Azure Storage service encryption ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is encrypted through FIPS 140 validated 256-bit AES encryption and you can use Key Vault for customer-managed keys (CMK).

What are the app registration restrictions in Azure? ›

A maximum of 1,200 entries can be added to the application manifest. See additional limits in Validation differences by supported account types. A non-admin user can create a maximum of 250 groups in an Azure AD organization.

How to restrict user access to one app in Windows 10 account feature? ›

In Windows 10, use the Privacy page to choose which apps can use a particular feature. Select Start > Settings > Privacy. Select the app (for example, Calendar) and choose which app permissions are on or off.

How does entra work? ›

Entra Verified ID Service.

An issuance and verification service in Azure and a REST API for W3C Verifiable Credentials that are signed with the did:web or the did:ion method. They enable identity owners to generate, present, and verify claims. This forms the basis of trust between users of the systems.

Is Microsoft Entra free? ›

Microsoft Entra Workload Identities is now available in two editions: Free and Workload Identities Premium. The free edition of workload identities is included with a subscription of a commercial online service such as Azure and Power Platform.

Is Entra replacing Azure? ›

I guess we all knew it was coming (after all, Microsoft published message center notification MC477013 in December 2022), but the news that the Microsoft Entra admin center (Figure 1) will replace the Azure AD admin center from April 1, 2023 is yet another example of the ongoing and constant changes in Microsoft 365.

What are the user permissions in Microsoft Identity platform? ›

Permissions in the Microsoft identity platform can be set to admin restricted. For example, many higher-privilege Microsoft Graph permissions require admin approval. If your app requires admin-restricted permissions, an organization's administrator must consent to those scopes on behalf of the organization's users.

How do I enable identity based access? ›

You can enable identity-based authentication on your new and existing storage accounts using one of three AD sources: AD DS, Azure AD DS, or Azure AD Kerberos (hybrid identities only). Only one AD source can be used for file access authentication on the storage account, which applies to all file shares in the account.

How to configure managed identity in Azure? ›

Enable system-assigned managed identity on an existing VM
  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.
  2. Navigate to the desired Virtual Machine and select Identity.
  3. Under System assigned, Status, select On and then click Save:
Mar 15, 2023

How do I approve app permissions in Azure? ›

Approve or deny request
  1. Click the View link to open the Access request pane.
  2. Click Details to see details about the access request. ...
  3. Click Approve or Deny.
  4. If necessary, enter a reason.
  5. Click Submit to submit your decision.
Jan 26, 2023

How do I manage permissions in Azure? ›

  1. Go to Resource groups.
  2. Select a resource group.
  3. Select Access control (IAM).
  4. Select + Add > Add role assignment.
  5. Select a role, and then assign access to a user, group, or service principal.
Dec 1, 2022

What is the example of enterprise application? ›

Examples of enterprise application systems include CRM, ERP, accounting, project management tools, SCM, and HRM systems.

How do I change application permissions? ›

Change app permissions
  1. On your phone, open the Settings app.
  2. Tap Apps.
  3. Tap the app you want to change. If you can't find it, tap See all apps. ...
  4. Tap Permissions. If you allowed or denied any permissions for the app, you'll find them here.
  5. To change a permission setting, tap it, then choose Allow or Don't allow.

How do I assign special permissions? ›

Setting Permissions
  1. Access the Properties dialog box.
  2. Select the Security tab. ...
  3. Click Edit.
  4. In the Group or user name section, select the user(s) you wish to set permissions for.
  5. In the Permissions section, use the checkboxes to select the appropriate permission level.
  6. Click Apply.
  7. Click Okay.
Mar 31, 2023

How to provide administrator permission for particular application? ›

Always run an app in administrator mode
  1. Find the app you want on the desktop or using File Explorer. ...
  2. Right-click the app and choose Properties in the context menu.
  3. In the Properties window, switch to the Compatibility tab at the top.
  4. Here, toggle the option that says Run this program as an administrator.
May 12, 2022

What is app configuration in Azure? ›

Azure App Configuration provides a service to centrally manage application settings and feature flags. Modern programs, especially programs running in a cloud, generally have many components that are distributed in nature.

How do I use application settings in Azure functions? ›

To find the application settings, see Get started in the Azure portal. The Application settings tab maintains settings that are used by your function app. You must select Show values to see the values in the portal. To add a setting in the portal, select New application setting and add the new key-value pair.

How do I authorize my Azure app? ›

In the Azure portal menu, select Resource groups, or search for and select Resource groups from any page. In Resource groups, find and select your resource group. In Overview, select your app's management page. On your app's left menu, select Authentication, and then click Add identity provider.

What is enterprise application in Azure? ›

Enterprise application is the application identity within your directory (Azure AD). The service principal (enterprise app) can only be assigned access to the directory it exists, and act as an instance of the application.

What are the 4 types of enterprise? ›

Types of Enterprise
  • Sole Proprietorship.
  • Partnership.
  • Private Limited Companies (Ltd.)
  • Public Limited Companies (PLC)
Jun 10, 2021

What is the difference between enterprise application and ERP? ›

Usually, ERP comes with databases and a particular architecture, whereas ES has no architecture. Enterprise systems leverage the data that is already available across the company. In most cases, ERP applications need to be customized, whereas ES doesn't need any changes.

What is the Microsoft Entra Admin Center? ›

Microsoft Entra admin center gives customers an entire toolset to secure access for everyone and everything in multicloud and multiplatform environments.

How to activate Microsoft Office that pre installed on a new computer? ›

If you bought a new Microsoft 365 product key card, or you received a product key when you bought Microsoft 365through an online store, go to Office.com/setup or Microsoft365.com/setup and follow the on-screen prompts. This is a one-time process that adds your new product to your Microsoft account.

How do I activate my Microsoft license? ›

If you don't yet have a Microsoft account, see How to create a new Microsoft account. Once you confirm that you're an administrator and using your Microsoft account, go back to the Activation page, select Add an account, enter your Microsoft account and password, and then select Sign in.


1. All the Microsoft 365 Apps Explained
(Kevin Stratvert)
2. How to Submit Your App to the App Store (2020)
3. How to use Microsoft Bookings
(Kevin Stratvert)
4. How to use Microsoft Forms
(Kevin Stratvert)
5. Qlik Cloud: Configure Azure Active Directory as an IdP
(Qlik Help)
6. How to use Microsoft Teams Shifts
(Kevin Stratvert)


Top Articles
Latest Posts
Article information

Author: Nicola Considine CPA

Last Updated: 25/10/2023

Views: 6412

Rating: 4.9 / 5 (69 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.