Application publishers/vendors who integrate with Microsoft Entra ID are required to have a publishing directory (shown on the right as "Some software as a service (SaaS) Directory").

Applications that you add yourself (represented as App (yours) in the diagram) include:

  • Apps you developed (integrated with Microsoft Entra ID)
  • Apps you connected for SSO
  • Apps you published using the Microsoft Entra application proxy

Notes and exceptions

  • Not all service principals point back to an application object. When Microsoft Entra ID was originally built the services provided to applications were more limited, and the service principal was sufficient for establishing an application identity. The original service principal was closer in shape to the Windows Server Active Directory service account. For this reason, it's still possible to create service principals through different pathways, such as using Microsoft Graph PowerShell, without first creating an application object. The Microsoft Graph API requires an application object before creating a service principal.
  • Not all of the information described above is currently exposed programmatically. The following are only available in the UI:
    • Claims transformation rules
    • Attribute mappings (User provisioning)
  • For more detailed information on the service principal and application objects, see the Microsoft Graph API reference documentation:

为什么应用程序与Microsoft Entra ID集成?

Applications are added to Microsoft Entra ID to use one or more of the services it provides including:

  • Application authentication and authorization
  • User authentication and authorization
  • SSO using federation or password
  • User provisioning and synchronization
  • Role-based access control (RBAC) - Use the directory to define application roles to perform role-based authorization checks in an application
  • OAuth authorization services - Used by Microsoft 365 and other Microsoft applications to authorize access to APIs/resources
  • Application publishing and proxy - Publish an application from a private network to the internet
  • Directory schema extension attributes - Extend the schema of service principal and user objects to store additional data in Microsoft Entra ID

 

谁有权限向我的Microsoft Entra实例添加应用程序?

By default all users in your directory have rights to register application objects that they're developing and discretion over which applications they share/give access to their organizational data through consent. If a person is the first user in your directory to sign in to an application and grant consent, that will create a service principal in your tenant. Otherwise, the consent grant information will be stored on the existing service principal.

Allowing users to register and consent to applications might initially sound concerning, but keep the following reasons in mind:

  • Applications have been able to use Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory. Now the organization will have improved visibility to exactly how many applications are using the directory and for what purpose.
  • Delegating these responsibilities to users negates the need for an admin-driven application registration and publishing process. With Active Directory Federation Services (ADFS) it was likely that an admin had to add an application as a relying party on behalf of their developers. Now developers can self-service.
  • Users signing in to applications using their organization accounts for business purposes is a good thing. If they subsequently leave the organization they'll automatically lose access to their account in the application they were using.
  • Having a record of what data was shared with which application is a good thing. Data is more transportable than ever and it's useful to have a clear record of who shared what data with which applications.
  • API owners who use Microsoft Entra ID for OAuth decide exactly what permissions users are able to grant to applications and which permissions require an admin to agree to. Only admins can consent to larger scopes and more significant permissions, while user consent is scoped to the users' own data and capabilities.
  • When a user adds or allows an application to access their data, the event can be audited so you can view the Audit Reports within the Microsoft Entra admin center to determine how an application was added to the directory.

If you still want to prevent users in your directory from registering applications and from signing in to applications without administrator approval, there are two settings that you can change to turn off those capabilities:

  • To change the user consent settings in your organization, see Configure how users consent to applications.

  • To prevent users from registering their own applications:

    1. In the Microsoft Entra admin center, browse to Identity > Users > User settings.
    2. Change Users can register applications to No.