1. Acceptance of Terms
By accessing or using AppTesting, you agree to comply with these Terms of Use and with the AppConfig² Suite Terms of Use. If you do not agree, please do not use the Service. These terms govern your use of AppTesting specifically; other tools in the AppConfig² suite are governed by their own terms.
2. Description of Service
AppTesting is a read-only analysis and troubleshooting tool for Microsoft Entra ID application registrations. It connects to your tenant via Microsoft Graph API using delegated, read-only permissions and performs all analysis within your browser — no configuration changes can result from using AppTesting.
AppTesting provides the following capabilities:
- Authentication Flow Testing: Simulate and analyse OAuth 2.0 and OpenID Connect authentication flows — inspecting the results without modifying any configuration
- Token Decoding & Analysis: Decode and inspect JWT and access tokens — identifying claims, signatures, expiration, audience values, and potential issues. Decoding occurs entirely client-side.
- Application Registration Inspection: Read and display application configurations, manifest properties, redirect URIs, and authentication settings in full detail
- Permission Analysis: Review API permissions, consent grants, and application role assignments — identifying over-privileged applications and potential security risks
- Conditional Access Policy Review: Inspect conditional access policy assignments and analyse their impact on application access
- Credential Metadata Review: View credential expiry dates and key metadata (actual secret values are never accessible via the Graph API)
- Auth Flow Tester — Client Credentials (Optional): Test whether a set of client credentials can successfully obtain an access token from Microsoft, using a secure backend endpoint. See Section 5 for details.
AppTesting is designed for IT administrators, security engineers, developers, and support teams who need comprehensive diagnostic visibility into Entra ID application configurations without the risk of inadvertent changes.
3. Read-Only Guarantee
AppTesting holds no write permissions against Microsoft Graph API. It is architecturally incapable of creating, modifying, or deleting any object in your Entra ID tenant. The Microsoft Graph permissions granted to AppTesting are limited to read-only delegated scopes. No changes to your application registrations, credentials, consent grants, policies, or tenant configuration can result from using AppTesting.
The only data path involving AppTesting infrastructure is the optional client credentials testing feature (Section 5), which calls Microsoft's token endpoint — not your Graph API tenant data — to verify credential validity.
4. Service Availability & Access Control
Tenant Allowlist System: AppTesting uses a secure allowlist to control which organisation tenants can access the service. Your organisation's Entra ID tenant ID must be authorised before you can sign in.
To request access:
- Email support@appconfig.eu with your tenant ID and organisation details
- Access requests are typically processed within 1–2 business days
AppTesting is currently in Early Access phase. Service availability may vary and scheduled maintenance periods may occur.
5. Auth Flow Tester — Client Credentials (Optional Feature)
AppTesting includes an optional Auth Flow Tester that can test the OAuth 2.0 client credentials flow using a secure Azure Function backend (/get-token). This feature is subject to the following terms:
- Purpose: To verify that a set of client credentials (client ID plus secret or certificate) can successfully obtain an access token from Microsoft's token endpoint
- Data Transmitted: Client ID, client secret or certificate, and tenant ID are sent to AppTesting's
/get-tokenAzure Function over HTTPS - Backend Processing: The function processes credentials in-memory only, makes the token request to Microsoft, and returns the result. Credentials are never logged, stored, or forwarded to any other system.
- Your Responsibility: Only submit credentials for applications you are authorised to test. Do not submit credentials belonging to production applications unless you are explicitly authorised to do so under your organisation's security policies.
- Optional: All other AppTesting capabilities function without this feature.
Why a Backend Service is Required: The OAuth 2.0 client credentials flow requires transmitting sensitive credentials to obtain an access token. Browser-based applications must not handle these credentials directly — a backend service is required by the OAuth 2.0 specification. The AppTesting /get-token Azure Function serves this purpose, handling credentials securely in-memory without logging or storing them.
6. Administrator Consent & Required Permissions
AppTesting requires a one-time administrator consent to grant the following delegated, read-only permissions:
User.Read— read the signed-in user's profile to display identity in the UIApplication.Read.All— read all application registrations and service principals in the tenantPolicy.Read.All— read conditional access policies and claims mapping policies for analysisopenid,profile,offline_access— standard OIDC scopes for authentication and silent token renewal
These are the only permissions AppTesting will ever request. No write permissions (ReadWrite variants) are requested at any point during use. Administrators are responsible for ensuring that the personnel granted access to AppTesting are authorised to view the tenant's application configuration and security data.
7. User Responsibilities & Acceptable Use
Users must:
- Use AppTesting only for authorised analytical and diagnostic purposes within their organisation
- Comply with their organisation's IT and data classification policies when handling or sharing analysis results
- When using the optional client credentials testing feature, only submit credentials for applications they are authorised to test
- Not share application analysis results or token inspection outputs with unauthorised parties, as these may contain sensitive tenant information
- Not attempt to reverse-engineer, tamper with, or misuse the service
- Report any security vulnerabilities or unexpected behaviour promptly to support@appconfig.eu
Prohibited Uses:
- Accessing AppTesting using credentials you are not authorised to use
- Using AppTesting to access or analyse data outside your organisation's tenant
- Submitting client credentials belonging to applications you are not authorised to test
- Using AppTesting to facilitate unauthorised reconnaissance of another organisation's environment
- Exporting and distributing tenant analysis data in violation of your organisation's policies or applicable law
8. Data Handling
AppTesting uses browser-side session caching to support its read operations:
- sessionStorage: Authentication tokens and Graph API response cache, isolated per browser tab, automatically cleared when the tab is closed
- localStorage: UI preferences (theme) and short-lived metadata cache only — no tenant configuration data is persisted
- No server storage: No tenant data is transmitted to or stored on AppTesting servers during read operations
- Client credentials: Transmitted to the optional
/get-tokenendpoint in-memory only, never stored (see Section 5)
Please refer to the AppTesting Privacy Policy for full details on data handling, storage, and security.
9. Service Modifications & Updates
We reserve the right to modify, update, or discontinue features with reasonable notice; perform scheduled maintenance; update security measures and access controls; and update the tenant allowlist as needed. Because AppTesting is read-only, service updates cannot alter your Entra ID tenant data.
10. Limitation of Liability
The Service is provided "as is" without warranties of any kind. AppTesting and its developers are not responsible for:
- Decisions made based on analysis results, permission assessments, or token inspection outputs — these are diagnostic indicators to support human review, not authoritative security assessments
- Inaccuracies in analysis results due to Microsoft Graph API data inconsistencies or caching latency
- Service interruptions or unavailability
- Unauthorised access to your Entra ID environment by third parties
- Compliance violations arising from misuse of analysis outputs or exported data
Diagnostic Disclaimer: Authentication flow analysis, permission risk assessments, and token inspection outputs are generated programmatically from available Graph API data and token contents. They should be reviewed by a qualified administrator and do not constitute a security audit or compliance certification.
11. Early Access Program
AppTesting is currently offered as part of an Early Access Program:
- Analysis capabilities, supported flows, and features may change without prior notice
- Service availability is not guaranteed during this phase
- Early access participants may be invited to provide feedback
- Transition to a paid subscription may occur with advance notice to early access participants
12. Changes to Terms
We may update these Terms periodically to reflect changes in the Service or applicable regulations. Users will be notified of significant updates through in-application notifications or email. Continued use of AppTesting after such updates constitutes acceptance of the revised terms.
13. Contact & Support
For questions about these Terms, tenant access requests, or technical support, contact us at support@appconfig.eu.