Privacy Policy

AppTooling — part of the AppConfigΒ² suite

Last updated: June 6, 2026

1. Overview

AppTooling is a read-write Entra ID administration tool offering ten focused tools for managing application registrations, credentials, consent grants, and related configurations. Because AppTooling performs write operations, this Privacy Policy explains precisely what data is accessed, what is written back to your tenant, and how the application handles sensitive information such as credentials and authentication tokens throughout the process.

Key Privacy Principle: AppTooling operates as a fully static Single-Page Application (SPA) with no backend infrastructure. All data access β€” both reads and writes β€” occurs directly between your browser and Microsoft Graph API. No tenant data, credentials, or tokens are routed through AppTooling servers. Write operations require explicit user confirmation before execution.

2. Information AppTooling Accesses

AppTooling accesses your Entra ID tenant data on behalf of the authenticated user. The scope of access depends on which tools you use and which permissions you consent to at the time of use.

2.1 Authentication Information

  • User identity and basic profile (name, email, tenant ID) β€” to identify the signed-in user and enforce single-tenant access
  • Authentication tokens β€” obtained via MSAL.js using Authorization Code Flow with PKCE, stored in sessionStorage (per-tab isolation), never transmitted to AppTooling servers

Access Method: Direct browser-to-Microsoft authentication. AppTooling never sees or handles your password or MFA response.

2.2 Application Registration Data (Read)

  • Application display names, IDs, manifest properties, redirect URIs, and authentication settings
  • API permissions, OAuth 2.0 consent grants, and application role assignments
  • Credential metadata β€” key IDs, expiry dates, display names (actual secret values are never returned by the Graph API)
  • Federated identity credential configurations
  • Claims mapping policies assigned to applications
  • Optional claims configuration from application manifests

2.3 Application Registration Data (Write)

AppTooling may write the following data to your Entra ID tenant, depending on which tools you actively use and confirm. All write operations require explicit user confirmation before execution:

  • Consent Manager: Grant or revoke OAuth 2.0 delegated permission grants on service principals
  • AppRole Assignment Manager: Create application role assignments between service principals
  • Credential & Secret Manager: Create new client secrets on application registrations (with configurable lifetime); newly created secret values are displayed once in-browser and never stored by AppTooling
  • Federated Identity Credentials: Create federated identity credentials on application registrations (no secret value involved)
  • Claims Mapping Policy Tool: Create, update, and assign claims mapping policies
  • Manifest Editor: Patch application manifest properties via the Graph API PATCH operation
  • Optional Claims Editor: Update the optionalClaims configuration of an application registration
  • Graph Explorer: Execute arbitrary Graph API calls (GET, POST, PATCH, DELETE) as directed by the authenticated user
  • Backup & Restore: Restore saved application configuration snapshots to the corresponding application registration in your tenant

Important: Write operations are always initiated by the authenticated user. AppTooling does not initiate any writes autonomously or in the background.

3. Local Data Storage

AppTooling uses two browser-side storage mechanisms, each for a distinct purpose:

3.1 sessionStorage (Authentication & Session State)

  • MSAL.js authentication tokens and account information
  • Currently selected application context and active tool state
  • Graph API response cache for read operations (reduces redundant API calls within a session)
  • Scope: Isolated per browser tab; automatically discarded when the tab or browser is closed
  • No cross-tab sharing: Each tab maintains a fully independent session

3.2 localStorage (Backup & Restore)

  • Application configuration snapshots created by the Backup & Restore tool β€” these are stored locally in your browser's localStorage for persistence across sessions
  • User interface preferences (e.g., theme selection)
  • Scope: Persists across browser sessions for the same browser profile
  • No transmission: Backup data stored in localStorage never leaves your browser β€” it is not uploaded to AppTooling servers
  • User control: You can view, export, or delete all backup snapshots from within the Backup & Restore tool, or clear localStorage via browser settings

Secret Values: Newly created client secret values are displayed once within the browser session immediately after creation and are never written to localStorage, sessionStorage, or any external storage. Once you close or navigate away from the secret display, the value cannot be retrieved from AppTooling.

4. How AppTooling Uses Accessed Data

Data accessed via Microsoft Graph is used solely to operate the ten tools within AppTooling. No data is used for advertising, profiling, or any purpose other than fulfilling the specific tool action you initiate.

4.1 Identity Management Tools

  • Consent Manager: Reads existing OAuth 2.0 grant records to display current consent state; writes grant create/delete operations only upon explicit user confirmation
  • AppRole Assignment Manager: Reads existing role assignments to display current state; creates new assignments upon explicit user confirmation

4.2 Credentials & Trust Tools

  • Credential & Secret Manager: Reads credential metadata (never secret values); creates new secrets upon explicit user confirmation with a configurable expiry; newly created secret values are displayed once and never stored
  • Federated Identity Credentials: Reads and creates federated identity credential configurations using pre-built templates for GitHub Actions, Azure DevOps, Kubernetes, and Google Cloud Workload Identity Federation

4.3 Configuration Tools

  • Claims Mapping Policy Tool: Reads, creates, updates, and assigns claims mapping policies; all write operations require explicit confirmation
  • Manifest Editor: Reads the full application manifest; patches specific properties upon explicit user confirmation with diff highlighting to show exactly what will change
  • Optional Claims Editor: Reads and updates the optionalClaims node of an application manifest via a structured UI; confirmation required before write

4.4 Advanced Tools

  • Graph Explorer: Executes Graph API requests you construct manually. Read (GET) and write (POST, PATCH, DELETE) operations are both available. You are responsible for the operations you execute via this tool
  • JWT Token Decoder: Decodes JWT tokens you paste into the tool. Decoding occurs entirely client-side; no token value is transmitted to AppTooling servers
  • Backup & Restore: Automatically creates configuration snapshots of applications you open in AppTooling, and allows on-demand backup and restore. Snapshots are stored in localStorage (see Section 3.2). Restore operations write configuration data back to your tenant upon explicit user confirmation

5. Write Operation Safeguards

Because AppTooling performs write operations against your Entra ID tenant, specific safeguards are built into the application to protect against unintended changes:

  • Confirmation dialogs: Every write operation (create, update, delete, restore) requires explicit confirmation before execution. There are no auto-save or background write operations
  • Diff highlighting: The Manifest Editor displays a before/after diff of the changes you are about to apply
  • Secrets shown once: Newly created secret values are displayed in-browser once and never stored, mirroring the behaviour of the Microsoft Entra Admin Center
  • JIT scope consent: AppTooling requests only the permissions needed for the specific tool you are using, at the time you use it (Just-In-Time consent). You are not asked to pre-authorise all possible write scopes at sign-in
  • Automatic backup: The Backup & Restore tool automatically snapshots an application's configuration when you open it, giving you a restore point before any changes are made

6. Permissions Model

AppTooling uses Just-In-Time (JIT) scope consent: permissions are requested at the point of use, not pre-consented at sign-in. The following delegated permissions may be requested, depending on which tools you use:

  • User.Read β€” read signed-in user profile (always requested at sign-in)
  • openid, profile, offline_access β€” standard OIDC scopes (always requested at sign-in)
  • Application.Read.All β€” read application registrations (requested when you open any tool)
  • Application.ReadWrite.All β€” create and update application registrations, credentials, and configurations (requested when you use a write-capable tool)
  • DelegatedPermissionGrant.ReadWrite.All β€” manage OAuth 2.0 consent grants (requested when you use Consent Manager)
  • AppRoleAssignment.ReadWrite.All β€” manage application role assignments (requested when you use AppRole Assignment Manager)
  • Policy.Read.All, Policy.ReadWrite.ApplicationConfiguration β€” manage claims mapping policies (requested when you use Claims Mapping Policy Tool)
  • Additional scopes may be requested by the Graph Explorer tool when you target specific Graph endpoints that require them

All permissions are delegated (on behalf of the signed-in user). AppTooling does not use application (app-only) permissions. Operations are bounded by the signed-in user's own Entra ID role assignments.

7. Data Transmission & Security

7.1 Architecture

  • AppTooling is hosted as a fully static Azure Static Web Apps SPA β€” no backend compute, no Azure Functions, no server-side processing
  • All read and write operations occur directly between your browser and Microsoft Graph API
  • No tenant data, tokens, or credentials pass through AppTooling infrastructure

7.2 Encryption

  • All communication with Microsoft Graph uses HTTPS/TLS
  • MSAL.js tokens are stored in sessionStorage with browser-native security protections
  • No credentials or secrets are stored in any AppTooling-controlled system

7.3 Authentication Security

  • Authorization Code Flow with PKCE β€” no implicit flow, no client secret embedded in the app
  • Tokens stored in sessionStorage provide per-tab isolation β€” closing the tab discards all tokens
  • Silent sign-out with login_hint pre-populates the account identifier on the next sign-in
  • Single-tenant enforcement β€” AppTooling validates that the authenticated tenant matches the configured tenant

7.4 Client-Side Security Controls

  • OWASP-aligned client-side HTTP headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
  • No client-side secret storage β€” AppTooling never retains credential values in any browser storage mechanism
  • Write operation guardrails (confirmation dialogs) prevent accidental modifications

7.5 Platform Logging

AppTooling has no application-level logging infrastructure. Azure Static Web Apps platform may collect standard hosting telemetry (request counts, response codes, CDN metrics) that contains no tenant data. This telemetry is governed by Microsoft's privacy practices.

8. Third-Party Services

AppTooling integrates exclusively with Microsoft services:

  • Microsoft Entra ID: Authentication and identity management (direct browser-to-Microsoft connection)
  • Microsoft Graph API: Read and write operations on tenant application data (direct browser-to-Microsoft connection)
  • Azure Static Web Apps: Application hosting (static asset delivery only)

No third-party analytics, advertising, tracking, or data-sharing services are used. No tenant data is shared with any external party other than Microsoft for the purpose of authenticating you and executing the Graph API operations you initiate.

9. Data Retention & Deletion

9.1 Server-Side

  • AppTooling holds no server-side databases, file stores, or caches containing tenant data
  • There is no AppTooling-side data to delete, as none is ever stored

9.2 Browser-Side

  • sessionStorage data (tokens, session state, read cache) is automatically discarded when you close the tab
  • localStorage data (backup snapshots, theme preference) persists until you clear it manually or via the Backup & Restore tool's delete function
  • To remove all AppTooling browser data, clear your browser's localStorage for the AppTooling origin via browser settings

9.3 Revoking Access

  • Revoke AppTooling's delegated permissions at any time via Microsoft Entra Admin Center β†’ Enterprise Applications β†’ AppTooling β†’ Permissions β†’ Revoke consent
  • Revoking consent does not reverse any write operations already performed on your tenant β€” use the Backup & Restore tool to revert unintended changes

10. Compliance

10.1 GDPR

AppTooling's architecture minimises data processing to what is strictly necessary for each tool action. Because no tenant data is stored or processed on AppTooling infrastructure, the GDPR controller/processor relationship between your organisation and AppTooling is minimal. Your organisation remains the controller of Entra ID data; AppTooling acts as a thin browser-based client that executes Graph API calls on behalf of your authorised users.

10.2 Microsoft Trust Center

AppTooling builds on Microsoft's security and compliance infrastructure. The governance of your Entra ID environment β€” including its certifications β€” applies to the data AppTooling accesses via Graph API. Write operations performed by AppTooling are subject to the same audit logging (Microsoft Entra audit logs) as equivalent operations performed via the Entra Admin Center.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in AppTooling's functionality or applicable regulations. Significant changes will be communicated through in-application notifications and updates posted on the AppTooling landing page. Continued use after such updates constitutes acceptance of the revised policy.

12. Contact

For privacy-related questions or concerns:

EU data subjects have the right to lodge a complaint with their local supervisory authority.