.png)
Page contents
Supported attributes
| Attribute | Description | Backed up | Restorable |
| accountEnabled | true if the service principal account is enabled; otherwise, false. | Yes | Yes |
| addIns | Custom behaviours that a consuming service can use to call an app, e.g. File Handlers. | Yes | Yes |
| addIns>id | Unique identifier for the addIn object. | Yes | Yes |
| addIns>properties | Key-value pairs that define the parameters the consuming service can use or call. | Yes | Yes |
| addIns>type | Unique name of the functionality exposed by the app. | Yes | Yes |
| alternativeNames | Used to retrieve service principals by subscription. | Yes | Yes |
| appDescription | Description exposed by the associated application. | Yes | Yes |
| appDisplayName | Display name exposed by the associated application. | Yes | No |
| appId | Unique identifier for the associated application. | Yes | Yes |
| applicationTemplateId | Unique identifier of the applicationTemplate. | Yes | No |
| appOwnerOrganizationId | Contains the tenant ID where the application is registered. Applicable only to service principals backed by applications. | Yes | No |
| appRoleAssignmentRequired | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. | Yes | Yes |
| appRoles | The roles exposed by the application which this service principal represents. | Yes | Yes |
| appRoles>allowedMemberType | Specifies whether this app role can be assigned to users and groups, to other applications, or both. | Yes | Yes |
| appRoles>description | Description of the app role. | Yes | Yes |
| appRoles>displayName | Display name for the permission that appears in the app role assignment and consent experiences. | Yes | Yes |
| appRoles>id | Unique role identifier inside the appRoles collection. | Yes | No |
| appRoles>isEnabled | Must be true when creating or updating an app role. | Yes | Yes |
| appRoles>origin | Specifies if the app role is defined on the application object or on the servicePrincipal entity. | Yes | No |
| appRoles>value | Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. | Yes | Yes |
| customSecurityAttributes | An open complex type that holds the value of a custom security attribute that is assigned to a directory object. | Yes | Yes |
| deletedDateTime | The date and time the service principal was deleted. | Yes | Yes |
| description | Description of the service principal for end users. | Yes | Yes |
| disabledByMicrosoftStatus | Specifies whether Microsoft has disabled the registered application. | Yes | No |
| displayName | Display name for the service principal. | Yes | No |
| errorUrl | Deprecated. Not to be used. | No | No |
| homepage | Home page or landing page of the application. | Yes | Yes |
| id | Unique identifier for the service principal. | Yes | No |
| info | Basic profile information of the application, e.g. terms of service, privacy statement. | Yes | No |
| keyCredentials | Key credentials associated with the service principal. | Yes | No |
| loginUrl | Specifies the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. | Yes | Yes |
| logoutUrl | Specifies the URL that the Microsoft's authorisation service uses to sign out a user using OpenID Connect front-channel, back-channel, or SAML sign-out protocols. | Yes | Yes |
| notes | Information about the service principal, typically used for operational purposes. | Yes | Yes |
| notificationEmailAddresses | List of email addresses where Entra ID sends a notification when the active certificate is near expiry. Only for certificates used to sign the SAML token issued for Entra Gallery applications. | Yes | Yes |
| passwordCredentials | Password credentials associated with the application. | Yes | No |
| passwordCredentials>customKeyIdentifier | Custom key identifier. Not to be used. | No | No |
| passwordCredentials>displayName | Friendly name for the password. | Yes | Yes |
| passwordCredentials>endDateTime | Date and time at which the password expires. | Yes | Yes |
| passwordCredentials>hint | Contains the first three characters of the password. | No | No |
| passwordCredentials>keyId | Unique identifier for the password. | Yes | Yes |
| passwordCredentials>secretText | Contains strong passwords generated by Entra ID. Cannot be retrieved. | No | No |
| passwordCredentials>startDateTime | Date and time at which the password becomes valid. | Yes | Yes |
| passwordSingleSignOnSettings | Settings related to password single sign-on. | Yes | No |
| passwordSingleSignOnMode | The single sign-on mode configured for this application. | Yes | Yes |
| permissionGrantPreApprovalPolicies | List of pre-approval policies assigned to the service principal. | Yes | No |
| preferredTokenSigningKeyEndDateTime | Expiration date of the keyCredential used for token signing. | Yes | Yes |
| preferredTokenSigningKeyThumbprint | Used by apps that have preferredSingleSignOnMode set to SAML to control which certificate is used to sign the SAML responses. | Yes | Yes |
| publishedPermissionScopes or oauth2PermissionScopes | The delegated permissions exposed by the application. | Yes | Yes |
| publishedPermissionScopes>adminConsentDescription | A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. | Yes | Yes |
| publishedPermissionScopes>adminConsentDisplayName | The permission's title, intended to be read by an administrator granting the permission on behalf of all users. | Yes | Yes |
| publishedPermissionScopes>id | Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application. | Yes | Yes |
| publishedPermissionScopes>isEnabled | Must be true (default) when creating or updating a permission. | Yes | Yes |
| publishedPermissionScopes>type | Specifies whether administrator consent should always be required for a delegated permission. | Yes | Yes |
| publishedPermissionScopes>userConsentDescription | A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. | Yes | Yes |
| publishedPermissionScopes>userConsentDisplayName | The permission's title, intended to be read by a user granting the permission on their own behalf. | Yes | Yes |
| publishedPermissionScopes>value | Specifies the value to include in the scp (scope) claim in access tokens. | Yes | Yes |
| publisherName | Name of the Entra tenant that published the application. | Yes | Yes |
| replyUrls | The URLs that user tokens are sent to for sign-in with the associated application, or the redirect URIs that OAuth 2.0 authorisation codes and access tokens are sent to for the associated application. | Yes | Yes |
| samlMetadataUrl | The URL where the service exposes SAML metadata for federation. | Yes | Yes |
| samlSingleSignOnSettings | Settings related to SAML single sign-on. | Yes | Yes |
| servicePrincipalNames | List of identifiersUris copied over from the associated application. | Yes | Yes |
| servicePrincipalType | Specifies whether the service principal represents an application or a managed identity. | Yes | Yes |
| signInAudience | Specifies the Microsoft accounts that are supported for the current application. | Yes | No |
| spa | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorisation codes and access tokens. | Yes | Yes |
| tags | Custom strings that can be used to categorise and identify the application. | Yes | Yes |
| tokenEncryptionKeyId | Specifies the keyId of a public key from the keyCredentials collection. | Yes | Yes |
| verifiedPublisher | Specifies the verified publisher of the application. | Yes | Yes |
Supported relationships
owner
appRoleAssignedTo
appRoleAssignments
memberOf
Note:
- Only the application-type service principal is supported (not legacy or managed identity).
- An Enterprise App can only be restored if the corresponding app registration is present and has not been deleted. If the app registration is on the local tenant, restore that first.
- The appDisplayName and displayName can only be restored by restoring the corresponding app registration.
- Read about the limitations of Entra ID object recovery in Article 1554.
 1.png)