Terms of Use

AppConfig — part of the AppConfig² suite

Last updated: June 7, 2026

1. Acceptance of Terms

By accessing or using AppConfig, you agree to comply with these Terms of Use and with the AppConfig² Suite Terms of Use. If you do not agree to these terms, please do not use the Service.

Important: AppConfig performs read and write operations against your Microsoft Entra ID tenant. By using AppConfig, you acknowledge that you are authorised to make the changes you initiate and that you accept responsibility for those changes. AppConfig provides automatic backup functionality to help you recover from unintended changes — use it.

2. Description of Service

AppConfig is a comprehensive tool for managing and testing Microsoft Entra ID application registrations. It provides full read-write access to application configurations via Microsoft Graph API, operating directly between your browser and Microsoft services. Key capabilities include:

  • Application Registration Management: Create, modify, and delete Microsoft Entra ID app registrations
  • Authentication Testing: Simulate and analyse authentication flows, including OAuth 2.0 and OpenID Connect
  • Token Decoding and Analysis: Inspect and validate JWT and access tokens — identifying claims, signatures, and expiration details
  • API Permission Configuration: Manage and adjust API permissions granted to applications via Microsoft Graph
  • Role-Based Access Control (RBAC): Assign and manage application roles within your Microsoft Entra ID environment
  • Graph API Explorer: Deep inspection of application settings, policies, and conditional access configurations
  • Redirect URI and Authentication Method Management: Modify and test redirect URIs, authentication methods, and application secrets
  • Claims Mapping Policy Management: Create, edit, and assign claims mapping policies to customise token claims
  • Directory Extensions Management: Create and manage custom directory extensions and attributes
  • Permission Analysis: Analyse application permissions and identify potential security risks
  • User Provisioning: Provision and deprovision users for testing purposes
  • Backup and Restore: AppConfig creates automatic backups for each tested application, enabling you to restore the original configuration after testing

AppConfig is designed for operations teams, IT administrators, security engineers, and developers who need a streamlined way to manage Microsoft Entra ID applications.

3. Service Availability & Access Control

Tenant Allowlist System: AppConfig uses a secure allowlist to control access. Only pre-authorised organisation tenants can use the application. Your organisation's tenant ID must be added to the allowlist before you can access the service.

To request access for your organisation:

  • Email support@appconfig.eu with your tenant ID and organisation details
  • Access requests are typically processed within 1–2 business days

AppConfig is currently in Early Access phase and may have limited availability or scheduled maintenance periods.

4. User Responsibilities & Acceptable Use

Because AppConfig performs write operations against your Entra ID tenant, the following responsibilities apply:

You must:

  • Use AppConfig only for authorised purposes within your organisation and in compliance with your organisation's IT and change management policies
  • Ensure that all necessary permissions and administrator consent are granted before using the Service
  • Only test and modify applications and configurations you are authorised to change
  • Use the Backup and Restore functionality before making changes to production applications
  • Not attempt to access data or applications outside your authorised scope
  • Report any security vulnerabilities or unexpected behaviour immediately to support@appconfig.eu

Prohibited Uses:

  • Using AppConfig to access or modify applications without proper authorisation
  • Attempting to bypass security controls, confirmation dialogs, or access restrictions
  • Using the service for malicious purposes or to compromise system security
  • Violating any applicable laws or regulations while using the service
  • Reverse engineering or tampering with the application

5. Administrator Consent & Required Permissions

AppConfig requires administrator consent and specific Microsoft Graph API permissions to function effectively. By granting these permissions, administrators acknowledge that the Service will be able to:

  • Application Management: Read, create, update, and delete application registrations within the Microsoft Entra ID tenant
  • User Management: Read user profiles and provision/deprovision users for testing purposes
  • Directory Management: Read directory information and manage directory extensions
  • Policy Management: Read and manage claims mapping policies and conditional access policies
  • Token Analysis: Request and analyse authentication tokens for testing and debugging
  • API Permissions: Modify application API permissions and consent settings

All permissions are delegated — AppConfig acts on behalf of the signed-in user and is bounded by that user's own Entra ID role assignments. No application (app-only) permissions are used.

Administrator Responsibilities: Tenant administrators are responsible for ensuring that AppConfig usage complies with their organisation's security policies and that only authorised personnel have access to the service.

6. Write Operation Safeguards

AppConfig incorporates the following safeguards for write operations:

  • Backup before change: AppConfig automatically creates a configuration backup when you open an application, giving you a restore point before any changes are made
  • Restore capability: The Backup and Restore feature allows you to revert application configurations to a previously captured state
  • Audit trail: All write operations performed by AppConfig are recorded in your Microsoft Entra audit logs, which you can review in the Entra Admin Centre

Irreversibility Notice: Some operations — such as deleting application registrations, removing credentials, or revoking consent — may not be easily reversible. Always use the Backup and Restore feature before making significant changes, and test in non-production environments where your organisation's policies permit.

7. Data Handling & Caching

AppConfig employs browser-side caching to improve performance:

  • Local Storage: Application metadata, configuration data, and user preferences are temporarily stored in browser local storage (session cache purged every 5 minutes)
  • Backup Storage: Application configuration snapshots created by the Backup and Restore tool are stored in browser localStorage and persist across sessions until you delete them
  • No Server Storage: No user data or application configurations are permanently stored on AppConfig servers
  • Session Data: Authentication tokens are maintained only for the duration of your active session

8. Data Collection & Privacy

AppConfig does not store, share, or misuse any user data. The Service operates entirely within the Microsoft Entra ID environment. Please refer to the AppConfig Privacy Policy for full details on data access, storage, and security.

9. Service Modifications & Updates

We reserve the right to modify, update, or discontinue features with reasonable notice; perform scheduled maintenance; update security measures and access controls; and add or remove tenant access from the allowlist based on security or compliance requirements.

10. Limitation of Liability

The Service is provided "as is" without warranties of any kind. AppConfig and its developers are not responsible for:

  • Changes made to your Entra ID tenant as a result of operations you initiate and confirm within AppConfig
  • Application downtime or authentication failures arising from configuration changes made via AppConfig
  • Data loss or corruption that may occur during Backup and Restore operations
  • Unauthorised access to your Microsoft Entra ID environment by third parties
  • Business interruption or service downtime
  • Compliance violations resulting from improper use of the service

User Responsibility: Users are responsible for maintaining backups of critical application configurations, obtaining proper authorisation before performing write operations, and testing changes in non-production environments where possible.

11. Early Access Program

AppConfig is currently offered as part of an Early Access Program:

  • Features and functionality may change without notice
  • Service availability is not guaranteed
  • Early access participants may be asked to provide feedback and testing assistance
  • Transition to a paid subscription may occur with advance notice to early access participants

12. Changes to Terms

We may update these Terms periodically to reflect changes in the Service or applicable regulations. Users will be notified of significant updates through in-application notifications or email. Continued use of AppConfig after such updates constitutes acceptance of the revised terms.

13. Contact & Support

For questions about these Terms, tenant access requests, or technical support, contact us at support@appconfig.eu.