Azure Application Registration Management for VS Code

This Visual Studio Code extension provides an easy way to view and manage Azure Application Registrations outside of the Azure Portal.

It allows for easy viewing, copying, adding, and editing of most the core application properties, such as:

• Client Id
• Application ID URIs
• Sign In Audience
• Certificates and Secrets
• Redirect URIs
• Front-channel Logout URL
• API Permissions
• Exposed API Permissions
• Pre-Authorized Applications
• App Roles
• Owners
• Deleted Applications

It also allows for the simple creation of new applications, quickly viewing of the full application manifest in the editor, and has the ability to open the application registration directly in the Azure Portal when you need full editing control.

The application list is shown in a tree view, with the application itself at the top level, and each of the application properties as children. This allows for easy navigation and management of the application properties. The default list view is for applications owned by the signed in user. This can be changed in user settings, via the command palette, or via the view button on the toolbar to show all applications, or deleted applications.

All application properties have their own range of functionality. From the top-level application itself, down to each individual property, functionality can be accessed via a range of context menus. If required functionality is not currently implemented for a particular property then you can open the application registration in the Azure portal from the context menu of the application itself.

Most elements also have tooltips to help explain what they are and how they work, this includes the application list itself, which gives a quick view of the date the application was created and any internal notes you may have added.

Where password or certificate credentials are shown, the tooltip and icon colour will indicate if the credential is about to expire or has expired. This is based upon the expiry date of the credential. An upcoming expiry is determined as anything less than 30 days.

By default, to improve performance, the application list is limited to show 40 applications. This however is exposed as a user setting and can be changed if you wish. The list is sorted by application display name. If your application is not shown in the list you can also apply a filter on display name, which is applied before the maximum application shown limit (although only when eventual consistency is applied - see section below).

The default view only shows applications where the signed in user is an owner. This behaviour can be changed in user settings to show all applications if required.

Authentication

This extension uses the AzureCliCredential to authenticate the user and gain an access token required to manage applications. This means it does not use the Azure Account identity, but rather the Azure CLI. This is a workaround due to a known issue with the VisualStudioCodeCredential and Azure Account extension >= v0.10.0.

Please ensure your Azure CLI is authenticated to the correct tenant using az login --tenant <tenant_name or tenant_id>. If you are not authenticated using the Azure CLI the extension will offer the opportunity to sign in to the tenant of your choice.

Manual commands are also available via the command palette to allow you to sign into a different tenant or sign out of the Azure CLI. Other additional top level application commands are also available, as can be seen in the image below. All top level commands also have keyboard shortcuts assigned to them.

The access token used for this extension uses the scope Directory.AccessAsUser.All. This means that it will use the Azure RBAC directory roles assigned to the authenticated user, and hence requires the user to be assigned a role which allows for application management. More details on this scope can be found on this Microsoft Graph Permission Explorer.

Eventual Consistency

Azure Active Directory stores multiple copies of data to handle large read volumes and provide high availability. When directory objects are created or updated, changes will eventually be applied to all the copies. This means that occasionally after making changes they may not initially be reflected in the application list. It can take anything from a few seconds to a few minutes for all copies to be updated, hence the term Eventual.

Microsoft Graph API (which this extension uses to manage applications registrations) handles this with the use of an eventual consistency header in API requests. Adding this header means the API will only return the results of directory objects where all copies have been updated. This can sometimes lead to confusing results.

Furthermore, some advanced query functionality of Graph API such as server-side ordering and filtering only works when explicitly telling the API to use eventual consistency. To deliver a better user experience this extension offers the ability to make Graph API calls with or without the eventual consistency header. This can be enabled or disabled in the user settings (see section below).

As a rule of thumb, if you are working with a small list of applications (fewer than 200 in total) it is recommended to disable the use of the eventual consistency header (which is enabled by default). The application list will then be ordered client-side, although the filter option will be unavailable.

If you are working with a large list of applications (more than 200 in total) then it is recommended to enable the use of the eventual consistency header. This will allow the list of applications to be filtered server-side by Graph API before results are returned ensuring the filter is based upon a full list of applications.

By default a consistency setting check and warning is enabled. When the application list is refreshed the total number of applications is counted and if it is considered that the consistency setting is set incorrectly then a warning will be shown. This warning can be disabled in the user settings.

If you have enabled the use of the eventual consistency header and some applications or properties are not initially showing correctly after creation or editing then simply wait a short time and refresh the list again. Read more on Eventual Consistency.

User Settings

There are a number of user settings to control the behaviour of this extension. These are:

• Maximum Applications Shown
  • This controls how many applications to show in the list. When Use Eventual Consistency is enabled applications will be ordered by display name by the Graph API. If it is not enabled then applications are ordered client-side from the total list defined in Maximum Query Apps. Default value is 40.
• Application List View
  • Selects the type of applications to show in the list view between Owned, All, and Deleted applications. Default value is Owned Applications.
• Create Service Principal With Application
  • Creates a service principal for the application when creating a new application registration. Default value is true.
• Use Eventual Consistency
  • When selected the ConsistencyLevel: eventual header is added to Graph API calls. This opens up the opportunity for advanced query functionality such as server-side ordering and filtering. However enabling this setting results in applications and properties only being shown in the list when all copies have been updated. This can lead to a delay in recent changes being shown. If you are working with a large number of applications (more than 200) it is recommended to enable this. Default value is true.
• Show Application Count Warning
  • With this enabled the total number of applications you have in your tenant will be counted and a warning will be displayed if it is determined your Use Eventual Consistency setting is not set to the optimal value for your best experience. Default value is true.
• Maximum Query Apps
  • This controls how many applications Graph API will request in an initial query to build the list when not using eventual consistency. If working with a small number of applications reducing this number can improve performance. Be aware though that due to the nature of Graph API and client-side ordering, reducing this to below Maximum Applications Shown could result in not seeing the applications you expect in the right order. Default value is 100.
• Include Entra Portal
  • Includes Open in Entra Portal alongside options to open applications or users in the Azure portal. Default value is true.
• Omit Tenant ID from Portal Requests
  • Disables the inclusion of tenant IDs in portal URLs when opening applications or users in the Azure and/or Entra portals. Including the tenant ID in the portal URLs can help when you have logged into the extension with a non-default tenant and try to open items in the portals. Default value is false.

Functionality In Progress

The following functionality has not yet been implemented, but is on the backlog for addition in future releases. If any of this functionality is required you can right-click the application and open in the portal blade to manage them. If you have any suggestions for useful functionality please get in touch.

• Implicit flow settings
• Public flow settings
• Android / iOS Redirect URIs
• Optional token claims
• Federation credentials

Notes

This extension is not officially supported and you use it at your own risk. It has a dependency on the Azure Tools extension pack, but only because it places the application registrations view into the Azure view container.