Limitations on Modifying Enterprise Applications in Azure AD

Hello @VADLAMUDI, VAMSHEETH (V.) ,

Thank you for reaching out Microsoft Q&A.

I understand you are curious about the limitations on modifying Enterprise Applications in Azure AD. Specifically, are there any restrictions on how frequently we can make changes to attributes, ACS, or reply URLs.

Each application can have up to 256 reply URLs, with each URL being a maximum of 256 characters in length. While there are no specific restrictions on how frequently these URLs can be updated, frequent changes can increase the likelihood of misconfigurations, which may lead to authentication errors. It is crucial to thoroughly test and validate any modifications to avoid potential disruptions.

Attribute changes are allowed, but there may be some delays in reflecting the updates in token claims.

Limitations of redirect URIs for Microsoft Entra applications:

• Redirect URIs must begin with the scheme https, with exceptions for some local host redirect URIs.
• Redirect URIs are case-sensitive and must match the case of the URL path of your running application.
• Redirect URIs not configured with a path segment are returned with a trailing slash ('/') in the response. This applies only when the response mode is query or fragment.
• Redirect URIs that contain a path segment are not appended with a trailing slash in the response.
• Redirect URIs don't support special characters - ! $ ' ( ) , ;
• Redirect URIs don't support Internationalized Domain Names
• Always add redirect URIs to the application object only.
• Never add redirect URI values to a service principal because these values could be removed when the service principal object syncs with the application object. This could happen due to any update operation that triggers a sync between the two objects.

Additionally, when you open properties of an Enterprise Applications focus on the options mentioned below:

If this option is set to yes, then assigned users will be able to sign in to this application, either from My Apps, the User access URL, or by navigating to the application URL directly. If this option is set to no, then no users will be able to sign in to this app, even if they are assigned to it.

If this option is set to yes, then users and other apps or services must first be assigned this application before being able to access it. If this option is set to no, then all users will be able to sign in, and other apps and services will be able to obtain an access token to this service.

If this option is set to yes, then assigned users will see the application on My Apps and O365 app launcher. If this option is set to no, then no users will see this application on their My Apps and O365 launcher.

For more and additional Information: https://zcusa.951200.xyz/en-us/entra/identity-platform/reply-url#what-are-the-restrictions-of-redirect-uris-for-microsoft-entra-applications

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Regards,
Goutam Pratti.