1. Acceptance of Terms
By accessing or using AppTooling, you agree to comply with these Terms of Use. If you do not agree, please do not use the Service. These terms govern your use of AppTooling specifically; other tools in the AppConfig² suite are governed by their own terms.
Important: Unlike read-only tools, AppTooling performs write operations against your Microsoft Entra ID tenant. By using AppTooling, you acknowledge that you are authorised to make the changes you initiate and that you accept responsibility for those changes.
2. Description of Service
AppTooling is a read-write Entra ID administration tool providing ten focused tools across four functional areas. It operates as a fully static Single-Page Application (SPA) — all operations occur directly between your browser and Microsoft Graph API with no AppTooling backend servers involved.
2.1 Identity Management
- Consent Manager: View, grant, and revoke OAuth 2.0 delegated permission grants on service principals
- AppRole Assignment Manager: View existing and create new application role assignments between service principals
2.2 Credentials & Trust
- Credential & Secret Manager: Browse existing credential metadata, create new client secrets with configurable lifetimes; newly created secret values are displayed once and never stored
- Federated Identity Credentials: Create Workload Identity Federation (WIF) configurations using pre-built templates for GitHub Actions, Azure DevOps, Kubernetes, and Google Cloud
2.3 Configuration
- Claims Mapping Policy Tool: Full CRUD operations on claims mapping policies with built-in templates and assignment management
- Manifest Editor: JSON manifest editor with diff detection — shows exactly what properties will change before applying a PATCH operation
- Optional Claims Editor: Structured UI for managing the optionalClaims node of an application manifest, with a curated claim catalogue
2.4 Advanced
- Graph Explorer: Execute arbitrary Microsoft Graph API calls (GET, POST, PATCH, DELETE) with automatic scope detection; full power and full responsibility
- JWT Token Decoder: Fully client-side JWT decoding with annotated claim categories — no token value is transmitted to AppTooling servers
- Backup & Restore: Automatic and on-demand application configuration snapshots stored in browser localStorage; restore operations write saved configuration back to the tenant upon explicit confirmation
AppTooling is designed for Entra ID administrators, identity engineers, and cloud security engineers who need a unified, guided interface for common application management operations that would otherwise require context-switching across multiple portal screens or direct Graph API calls.
3. Service Availability & Access Control
Tenant Allowlist System: AppTooling uses a secure allowlist to control which organisation tenants can access the service. Your organisation's Entra ID tenant ID must be authorised before you can sign in.
To request access:
- Contact your IT administrator to submit a tenant access request
- Email support@appconfig.eu with your tenant ID and organisation details
- Access requests are typically processed within 1–2 business days
AppTooling is currently in Early Access phase. Service availability may vary and scheduled maintenance periods may occur.
4. Administrator Consent & Required Permissions
AppTooling uses Just-In-Time (JIT) scope consent: permissions are requested at the point of use, not pre-authorised in bulk at sign-in. The following delegated permissions may be requested as you use individual tools:
User.Read,openid,profile,offline_access— requested at sign-in for authenticationApplication.Read.All— requested when you open any tool that reads application dataApplication.ReadWrite.All— requested when you use a tool that creates or modifies application registrations, credentials, manifest properties, or optional claimsDelegatedPermissionGrant.ReadWrite.All— requested when you use Consent Manager to manage OAuth 2.0 grantsAppRoleAssignment.ReadWrite.All— requested when you use AppRole Assignment ManagerPolicy.Read.All,Policy.ReadWrite.ApplicationConfiguration— requested when you use Claims Mapping Policy Tool- Additional scopes may be requested by the Graph Explorer when you target endpoints that require specific permissions
All permissions are delegated — AppTooling acts on behalf of the signed-in user and is bounded by that user's own Entra ID role. No application (app-only) permissions are used.
Administrator Responsibilities: Tenant administrators who grant the above permissions are responsible for ensuring that AppTooling access is restricted to authorised personnel and that usage complies with their organisation's security and change management policies.
5. User Responsibilities & Acceptable Use
Because AppTooling performs write operations against your Entra ID tenant, the following responsibilities apply:
You must:
- Use AppTooling only for authorised administrative purposes within your organisation and in compliance with your organisation's change management and IT security policies
- Ensure you are authorised to perform each specific operation before confirming it — AppTooling's confirmation dialogs are a checkpoint, not a substitute for proper authorisation
- Use the Backup & Restore tool to create snapshots before making changes to applications in production environments
- Treat newly created client secret values with the same care as any other production credential — they are displayed once and cannot be retrieved from AppTooling after dismissal
- Use the Graph Explorer tool responsibly — you have full read-write access to the Graph API endpoints your permissions allow
- Report any security vulnerabilities or unexpected behaviour promptly to support@appconfig.eu
Prohibited Uses:
- Using AppTooling to modify applications, credentials, or configurations you are not authorised to change
- Using the Graph Explorer to access or modify data outside your authorised scope
- Attempting to bypass confirmation dialogs, security controls, or access restrictions
- Using AppTooling to facilitate privilege escalation, persistence, or any malicious activity within a tenant
- Reverse engineering, tampering with, or misusing the application
- Using AppTooling in a tenant you do not have explicit authorisation to administer
6. Write Operation Safeguards
AppTooling incorporates the following built-in safeguards for write operations:
- Confirmation dialogs: Every create, update, delete, and restore operation requires explicit user confirmation before execution — there are no auto-save or background writes
- Diff view: The Manifest Editor displays a before/after diff of changed properties before applying a PATCH
- Automatic backup: The Backup & Restore tool creates a local snapshot of an application's configuration when you open it, giving you a baseline to restore from
- JIT consent: Permissions are requested at point-of-use so you always know what scope is being activated before a write operation becomes possible
- Audit trail: All write operations performed by AppTooling are recorded in your Microsoft Entra audit logs, which you can review in the Entra Admin Center
Irreversibility Notice: Some operations — such as revoking consent grants, deleting application registrations via Graph Explorer, or creating credentials — may not be easily reversible. Use the Backup & Restore feature before making significant changes, and test in non-production environments where your organisation's policies permit.
7. Data Handling
AppTooling uses two distinct browser storage mechanisms:
- sessionStorage: Authentication tokens and session state, isolated per browser tab, automatically cleared when the tab closes
- localStorage: Application configuration backup snapshots and UI preferences, persisting across sessions until explicitly deleted
No tenant data is transmitted to or stored on AppTooling servers. The JWT Token Decoder processes token values entirely within your browser. CSV or export functions (where available) generate files locally without any upload.
Please refer to the AppTooling Privacy Policy for full details on data handling, storage, and security.
8. Service Modifications & Updates
We reserve the right to:
- Modify, update, or discontinue individual tools or features with reasonable notice
- Perform scheduled maintenance that may temporarily affect service availability
- Update security measures, access controls, or the tenant allowlist as needed
- Add new tools or adjust existing tool behaviour in response to Microsoft Graph API changes
9. Limitation of Liability
The Service is provided "as is" without warranties of any kind. AppTooling and its developers are not responsible for:
- Changes made to your Entra ID tenant as a result of operations you confirm and execute within AppTooling
- Application downtime, authentication failures, or permission errors arising from configuration changes made via AppTooling
- Loss of a client secret value after it is dismissed from the one-time display
- Data loss or corruption that may occur during Backup & Restore operations
- Compliance violations resulting from improper use of the service or unauthorised operations
- Service interruptions or unavailability
- Unauthorised access to your Entra ID environment by third parties
User Responsibility: Users are responsible for obtaining proper authorisation before performing write operations, maintaining configuration backups before making changes, and verifying the impact of changes in non-production environments where possible.
10. Early Access Program
AppTooling is currently offered as part of an Early Access Program:
- Tool behaviour, available templates, and supported Graph API operations may change without prior notice
- Service availability is not guaranteed during this phase
- Early access participants may be invited to provide feedback and testing input
- Transition to a paid subscription may occur with advance notice to early access participants
11. Changes to Terms
We may update these Terms of Use periodically to reflect changes in the Service or applicable regulations. Users will be notified of significant updates through the application or email. Continued use of AppTooling after such updates constitutes acceptance of the revised terms.
12. Contact & Support
For questions about these Terms of Use, tenant access requests, or technical support, contact us at support@appconfig.eu. Professional support is included with all AppTooling subscriptions.