1# Azure CLI Commands for App Registration
2 
3This document provides a comprehensive reference for managing Microsoft Entra app registrations using Azure CLI.
4 
5## Prerequisites
6 
7```bash
8# Ensure Azure CLI is installed
9az version
10 
11# Login to Azure
12az login
13 
14# Set default subscription (optional)
15az account set --subscription "Your Subscription Name"
16```
17 
18## App Registration Management
19 
20### Create App Registration
21 
22**Basic app registration:**
23```bash
24az ad app create --display-name "MyApplication"
25```
26 
27**Web application with redirect URI:**
28```bash
29az ad app create \
30  --display-name "MyWebApp" \
31  --web-redirect-uris "https://myapp.com/callback" \
32  --sign-in-audience "AzureADMyOrg"
33```
34 
35**Single Page Application (SPA):**
36```bash
37az ad app create \
38  --display-name "MySpaApp" \
39  --spa-redirect-uris "http://localhost:3000" \
40  --sign-in-audience "AzureADMyOrg"
41```
42 
43**Public client (Desktop/Mobile app):**
44```bash
45az ad app create \
46  --display-name "MyDesktopApp" \
47  --public-client-redirect-uris "http://localhost" \
48  --sign-in-audience "AzureADMyOrg"
49```
50 
51**Multi-tenant application:**
52```bash
53az ad app create \
54  --display-name "MyMultiTenantApp" \
55  --web-redirect-uris "https://myapp.com/callback" \
56  --sign-in-audience "AzureADMultipleOrgs"
57```
58 
59### Sign-in Audience Options
60 
61| Value | Description |
62|-------|-------------|
63| `AzureADMyOrg` | Single tenant (default) |
64| `AzureADMultipleOrgs` | Multi-tenant (any Azure AD) |
65| `AzureADandPersonalMicrosoftAccount` | Multi-tenant + personal Microsoft accounts |
66| `PersonalMicrosoftAccount` | Personal Microsoft accounts only |
67 
68## List and Query Apps
69 
70### List all app registrations
71 
72```bash
73az ad app list --output table
74```
75 
76### List apps with custom query
77 
78```bash
79# Filter by display name
80az ad app list --display-name "MyApp" --output table
81 
82# Get specific fields
83az ad app list --query "[].{Name:displayName, AppId:appId}" --output table
84```
85 
86### Get app details
87 
88```bash
89# By display name
90az ad app show --id $(az ad app list --display-name "MyApp" --query "[0].appId" -o tsv)
91 
92# By application ID
93az ad app show --id "YOUR_APPLICATION_ID"
94```
95 
96### Get Application (Client) ID
97 
98```bash
99APP_ID=$(az ad app list --display-name "MyApp" --query "[0].appId" -o tsv)
100echo "Application ID: $APP_ID"
101```
102 
103### Get Object ID
104 
105```bash
106OBJECT_ID=$(az ad app list --display-name "MyApp" --query "[0].id" -o tsv)
107echo "Object ID: $OBJECT_ID"
108```
109 
110## Update App Registration
111 
112### Add redirect URIs
113 
114**Web app:**
115```bash
116az ad app update --id $APP_ID \
117  --web-redirect-uris "https://myapp.com/callback" "https://myapp.com/auth"
118```
119 
120**SPA:**
121```bash
122az ad app update --id $APP_ID \
123  --spa-redirect-uris "http://localhost:3000" "http://localhost:5000"
124```
125 
126**Public client:**
127```bash
128az ad app update --id $APP_ID \
129  --public-client-redirect-uris "http://localhost" "myapp://auth"
130```
131 
132## Client Credentials (Secrets & Certificates)
133 
134### Create client secret
135 
136```bash
137# Create secret with default expiration
138az ad app credential reset --id $APP_ID
139 
140# Create secret with custom expiration
141az ad app credential reset --id $APP_ID --years 1
142 
143# Create secret with specific end date
144az ad app credential reset --id $APP_ID --end-date "2025-12-31"
145```
146 
147**Save the output:**
148```json
149{
150  "appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
151  "password": "your-secret-value-SAVE-THIS",
152  "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
153}
154```
155 
156**⚠️ Important:** Resetting Client credential will delete all existing credentials.
157**⚠️ Important:** The secret value is only shown once. Store it securely (e.g., Azure Key Vault).
158 
159### List client credentials
160 
161```bash
162# List all credentials (secrets and certificates)
163az ad app credential list --id $APP_ID
164```
165 
166### Delete client secret
167 
168```bash
169# Get key ID from credential list
170az ad app credential list --id $APP_ID --query "[].{KeyId:keyId, Type:type}" -o table
171 
172# Delete specific credential
173az ad app credential delete --id $APP_ID --key-id "KEY_ID_HERE"
174```
175 
176### Upload certificate
177 
178```bash
179# Upload certificate from file
180az ad app credential reset --id $APP_ID --cert "@path/to/cert.pem"
181```
182 
183## API Permissions
184 
185### Add API permissions
186 
187**Microsoft Graph User.Read:**
188```bash
189GRAPH_RESOURCE_ID="00000003-0000-0000-c000-000000000000"  # Microsoft Graph
190USER_READ_ID="e1fe6dd8-ba31-4d61-89e7-88639da4683d"      # User.Read permission
191 
192az ad app permission add --id $APP_ID \
193  --api $GRAPH_RESOURCE_ID \
194  --api-permissions "$USER_READ_ID=Scope"
195```
196 
197**Microsoft Graph Mail.Read (delegated):**
198```bash
199MAIL_READ_ID="570282fd-fa5c-430d-a7fd-fc8dc98a9dca"      # Mail.Read permission
200 
201az ad app permission add --id $APP_ID \
202  --api $GRAPH_RESOURCE_ID \
203  --api-permissions "$MAIL_READ_ID=Scope"
204```
205 
206**Microsoft Graph User.Read.All (application):**
207```bash
208USER_READ_ALL_ID="df021288-bdef-4463-88db-98f22de89214"  # User.Read.All application permission
209 
210az ad app permission add --id $APP_ID \
211  --api $GRAPH_RESOURCE_ID \
212  --api-permissions "$USER_READ_ALL_ID=Role"
213```
214 
215**Note:** Use `Scope` for delegated permissions, `Role` for application permissions.
216 
217### Common Permission IDs
218 
219**Microsoft Graph (00000003-0000-0000-c000-000000000000):**
220 
221| Permission | ID | Type |
222|------------|-----|------|
223| User.Read | e1fe6dd8-ba31-4d61-89e7-88639da4683d | Delegated |
224| User.ReadWrite | b4e74841-8e56-480b-be8b-910348b18b4c | Delegated |
225| Mail.Read | 570282fd-fa5c-430d-a7fd-fc8dc98a9dca | Delegated |
226| Mail.Send | e383f46e-2787-4529-855e-0e479a3ffac0 | Delegated |
227| Calendars.Read | 465a38f9-76ea-45b9-9f34-9e8b0d4b0b42 | Delegated |
228| User.Read.All | df021288-bdef-4463-88db-98f22de89214 | Application |
229| Directory.Read.All | 7ab1d382-f21e-4acd-a863-ba3e13f7da61 | Application |
230 
231### Grant admin consent
232 
233```bash
234# Grant admin consent for all permissions
235az ad app permission admin-consent --id $APP_ID
236```
237 
238**Note:** Admin consent is required for application permissions and some delegated permissions.
239 
240### List permissions
241 
242```bash
243az ad app permission list --id $APP_ID
244```
245 
246### Delete permission
247 
248```bash
249# Remove specific permission
250az ad app permission delete --id $APP_ID \
251  --api $GRAPH_RESOURCE_ID \
252  --permission-id $USER_READ_ID
253```
254 
255## Service Principal Management
256 
257### Create service principal
258 
259```bash
260# Create service principal for the app
261az ad sp create --id $APP_ID
262```
263 
264### List service principals
265 
266```bash
267az ad sp list --display-name "MyApp"
268```
269 
270### Get service principal details
271 
272```bash
273az ad sp show --id $APP_ID
274```
275 
276### Delete service principal
277 
278```bash
279az ad sp delete --id $APP_ID
280```
281 
282## App Roles and Claims
283 
284### Get app roles
285 
286```bash
287az ad app show --id $APP_ID --query "appRoles"
288```
289 
290### Get optional claims
291 
292```bash
293az ad app show --id $APP_ID --query "optionalClaims"
294```
295 
296## Owners
297 
298### List app owners
299 
300```bash
301az ad app owner list --id $APP_ID
302```
303 
304### Add owner
305 
306```bash
307# Add user as owner
308USER_OBJECT_ID=$(az ad user show --id "[email protected]" --query "id" -o tsv)
309az ad app owner add --id $APP_ID --owner-object-id $USER_OBJECT_ID
310```
311 
312### Remove owner
313 
314```bash
315az ad app owner remove --id $APP_ID --owner-object-id $USER_OBJECT_ID
316```
317 
318## Delete App Registration
319 
320```bash
321# Delete app registration (and associated service principal)
322az ad app delete --id $APP_ID
323```
324 
325## Tenant and Identity Information
326 
327### Get tenant ID
328 
329```bash
330az account show --query tenantId -o tsv
331```
332 
333### Get current user information
334 
335```bash
336az ad signed-in-user show
337```
338 
339### Get user by email
340 
341```bash
342az ad user show --id "[email protected]"
343```
344 
345### Get user object ID
346 
347```bash
348az ad user show --id "[email protected]" --query "id" -o tsv
349```
350 
351### List all users
352 
353```bash
354az ad user list --output table
355```
356 
357## Scripting Examples
358 
359### Complete app setup script
360 
361```bash
362#!/bin/bash
363 
364# Variables
365APP_NAME="MyApplication"
366REDIRECT_URI="http://localhost:3000"
367 
368echo "Creating app registration..."
369APP_ID=$(az ad app create \
370  --display-name "$APP_NAME" \
371  --spa-redirect-uris "$REDIRECT_URI" \
372  --query "appId" -o tsv)
373 
374echo "App created with ID: $APP_ID"
375 
376echo "Adding Microsoft Graph permissions..."
377GRAPH_RESOURCE_ID="00000003-0000-0000-c000-000000000000"
378USER_READ_ID="e1fe6dd8-ba31-4d61-89e7-88639da4683d"
379 
380az ad app permission add --id $APP_ID \
381  --api $GRAPH_RESOURCE_ID \
382  --api-permissions "$USER_READ_ID=Scope"
383 
384echo "Granting admin consent..."
385az ad app permission admin-consent --id $APP_ID
386 
387echo "Creating service principal..."
388az ad sp create --id $APP_ID
389 
390TENANT_ID=$(az account show --query tenantId -o tsv)
391 
392echo ""
393echo "App registration complete!"
394echo "Application (Client) ID: $APP_ID"
395echo "Tenant ID: $TENANT_ID"
396echo "Redirect URI: $REDIRECT_URI"
397```
398 
399### Cleanup script
400 
401```bash
402#!/bin/bash
403 
404# Delete all apps matching pattern
405az ad app list --display-name "Test*" --query "[].appId" -o tsv | while read APP_ID; do
406  echo "Deleting app: $APP_ID"
407  az ad app delete --id $APP_ID
408done
409```
410