Entra ID Applications


Entra ID applications are an identity which allows software to take advantage of Entra ID capabilities.

Topics on this Page:

What Users Need to Know

As a UW user, you encounter Entra ID application in three common scenarios:

  1. You would like to use 3rd party software that integrates with UW's identity system
  2. You are writing software that needs to integrate to the UW's identity system
  3. You want to add Entra ID capabilities to your existing software

Microsoft also provides "first person" Entra applications like Exchange Online. These Entra ID applications may not follow the guidelines noted, and may have extra limitations or per user licensing.

Using 3rd party software via Entra ID

When you use 3rd party software that integrates with Entra ID (web applications, mobile apps, or Office add-ins), there are typically two steps:

These steps often happen together when you sign in to the application with your UW Microsoft account.


The process for adding an Entra ID application varies by scenario:

  • Formal integration of Software as a Service (SaaS) via Microsoft Gallery Applications
    Microsoft maintains a gallery of over 3,000 pre-integrated SaaS applications. Microsoft has already configured the authentication connection, reducing integration work for the UW. Some gallery applications even handle automatic user provisioning.

    For this type of application, we strongly recommend requiring user assignment and having multiple assigned owners.
  • Click-to-Enable Applications
    Some vendors outside Microsoft's gallery allow you to create the Entra ID application as described above in the 'Using 3rd party software section. The software may run on your device or on a website.
    Example: Office Add-ins like FindTime. Note that not all click-to-enable applications are located in the Office Store.
  • Self-service creation via an Entra App Registration
    Anyone choosing this option has a sizable amount of orientation. Application Registration - UW-IT walks through the steps. Entra ID Application Integration Guide - UW-IT provides an overview of the many potential related topics. Entra ID Application Credentials and Management - UW-IT covers two critical management tasks for this type of Entra application: secret management and the owner role.
  • Admin Required Applications
    Some applications require an admin to grant permissions before they can be created.
Important: Most 3rd party applications require a separate customer relationship with the vendor. If you have chosen an Entra ID application provided by a third party, there is a risk that UW confidential data may intentionally or unintentionally be accessed, collected, or used by the third party. UW organizations are responsible for evaluating the risk and implementing controls for their unique technical deployments. If you've evaluated the risk and decided to use a third party application, then it should meet the UW data security and privacy goals for contracting with vendors. This may include the need for a Data Security and Privacy Agreement or a Business Associate Agreement. Additional responsibilities may be required by UW Medicine for use of Entra ID applications with protected health information. You may have no intended use of protected health information, but depending on the permissions required by the app, your app may unintentionally have access to that type of data. If you'd like help analyzing third party applications or adding an Entra ID application, please contact UW-IT at help@uw.edu.


When a user tries to access an Entra ID application identity that requires permissions to other Entra ID applications, consent is required. The consent prompt shows:

  • The application name
  • Whether the application has a Microsoft verified publisher or not.
    • If it does, you'll see the publisher name immediately below the name.
    • If it doesn't, you'll see "Unverified".
  • List of permissions requested by the application
  • The option to accept or decline

Note: a URL is usually visible in the consent prompt, with a URL that begins with https://login.microsoftonline.com. If that isn't the URL shown, then the consent is likely not for your UW Microsoft account, and is instead for some other account.

There are two types of consent:

  • User consent: Each user which uses the application can provide this. This is the most common type of consent, and is limited to things that user can access.
    • If you accept, you get access to the application and have agreed that the application identity can access the other application(s) noted with the permissions noted, getting access to whatever data you have via those permissions in those applications. The application identity doesn't need you to be involved to take those actions, after you have granted consent. 
    • If you decline, you may not be able to access the Entra application. Most applications don't allow you to proceed, but some might. If you are allowed to proceed, the capabilities provided will be limited by what permissions you have consented to.
  • Admin consent: Only UW tenant administrators can provide this. This is limited to permissions that provide broadly access to other applications, generally not scoped to a single user.
    • The UW has a set of practices and policies related to what it will and will not grant admin consent for. These are aligned with managing risk for the entire UW. For example, you might imagine that we don't want to give 3rd party applications access to all UW email. If you think you have such an Entra ID application, you can use the request form for that. If you'd like to read more about the UW's admin consent practices, please see our Risky Entra ID application permissions page.

Users working with confidential data are strongly encouraged to exercise care when consenting to permissions--make sure proper controls are in place, such as the DPA and BAA mentioned elsewhere in this document. If you aren't sure, you should ask for help by contacting UW-IT at help@uw.edu.

Here are some example screen shots of the user consent experience: 

Entra User Consent: Clio ContactsEntra User Consent: Cronofy

What Developers Need to Know

You are a developer writing software. You either need to leverage the API of an Entra ID application or you need to authenticate users and would like to use the modern protocols that Entra ID supports. Microsoft's Integrating applications with Entra ID is a good introductory resource for developers seeking to integrate using an Entra ID identity. Developers seeking to leverage Microsoft Graph or Microsoft APIs may find this TechNet article useful. There is also an Entra ID PowerShell module which allows creation and manipulation of Entra ID applications. The UW's documentation of this experience is still developing, but you may find the content in the Related Pages section which are also useful.

In the UW tenant, we allow any Entra user to create Entra application objects via the App Registrations mechanism. This generally is usually the only permission that developers need to proceed. Developers should set more than one owner and carefully manage their application credentials (which generally expire). If you decide to publish an API via your Entra application and want other applications to leverage the permissions of that API, create custom roles, or want to use the SAML protocol instead of the OIDC protocol, you will need UW-IT assistance, as  those are all activities that only an administrator can provide.