pnp · MartinM85 · Jul 7, 2025
diff --git a/docs/docs/cmd/entra/app/app-add.mdx b/docs/docs/cmd/entra/app/app-add.mdx
@@ -31,7 +31,7 @@ m365 entra appregistration add [options]
 : Comma-separated list of redirect URIs. Requires `platform` to be specified.
 
 `-p, --platform [platform]`
-: Platform for which the `redirectUris` should be configured. Allowed values `spa`, `web`, `publicClient`. Requires `redirectUris` to be specified.
+: Platform for which the app should be configured. Allowed values `spa`, `web`, `publicClient`, `apple`, `android`.
 
 `--implicitFlow`
 : Specify, to indicate that the authorization endpoint should return ID and access tokens.
@@ -75,6 +75,12 @@ m365 entra appregistration add [options]
 `--manifest [manifest]`
 : App manifest as retrieved from Entra ID to create the app registration from. Specify either `name` or `manifest` but not both.
 
+`--bundleId [bundleId]`
+: Specify a bundle Id to add the iOS / macOS or Android platform to the application. Required when platform is `apple` or `android`.
+
+`--signatureHash [signatureHash]`
+: A required hash when specifying a bundle Id and platform `android`.
+
 `--save`
 : Use to store the information about the created app in a local file.
 

diff --git a/src/m365/entra/commands/app/app-add.spec.ts b/src/m365/entra/commands/app/app-add.spec.ts
@@ -6602,6 +6602,36 @@ describe(commands.APP_ADD, () => {
     assert.strictEqual(actual, true);
   });
 
+  it('passes validation if platform is apple and bundleId is specified', async () => {
+    const actual = await command.validate({ options: { name: 'My Microsoft Entra app', platform: 'apple', bundleId: 'com.contoso.app' } }, commandInfo);
+    assert.strictEqual(actual, true);
+  });
+
+  it('fails validation if platform is apple, but bundleId is missing', async () => {
+    const actual = await command.validate({ options: { name: 'My Microsoft Entra app', platform: 'apple' } }, commandInfo);
+    assert.notStrictEqual(actual, true);
+  });
+
+  it('passes validation if platform is android and bundleId and signatureHash is specified', async () => {
+    const actual = await command.validate({ options: { name: 'My Microsoft Entra app', platform: 'apple', bundleId: 'com.contoso.app', signatureHash: '2pmj9i4rSx0yEb/viWBYkE/ZQrk=' } }, commandInfo);
+    assert.strictEqual(actual, true);
+  });
+
+  it('fails validation if platform is android, but bundleId is missing', async () => {
+    const actual = await command.validate({ options: { name: 'My Microsoft Entra app', platform: 'android', signatureHash: '2pmj9i4rSx0yEb/viWBYkE/ZQrk=' } }, commandInfo);
+    assert.notStrictEqual(actual, true);
+  });
+
+  it('fails validation if platform is android, but signatureHash is missing', async () => {
+    const actual = await command.validate({ options: { name: 'My Microsoft Entra app', platform: 'android', bundleId: 'com.contoso.app' } }, commandInfo);
+    assert.notStrictEqual(actual, true);
+  });
+
+  it('fails validation if platform is android, but bundleId and signatureHash is missing', async () => {
+    const actual = await command.validate({ options: { name: 'My Microsoft Entra app', platform: 'android' } }, commandInfo);
+    assert.notStrictEqual(actual, true);
+  });
+
   it('creates Microsoft Entra app reg for a web app from a manifest with redirectUris and options overriding them', async () => {
     sinon.stub(request, 'get').callsFake(async opts => {
       if (opts.url === 'https://graph.microsoft.com/v1.0/myorganization/servicePrincipals?$select=appId,appRoles,id,oauth2PermissionScopes,servicePrincipalNames') {
@@ -7983,4 +8013,203 @@ describe(commands.APP_ADD, () => {
       tenantId: ''
     }));
   });
+
+  it('creates Microsoft Entra app reg for an apple app with the specified redirect URI', async () => {
+    sinon.stub(request, 'get').rejects('Issues GET request');
+    sinon.stub(request, 'patch').rejects('Issued PATCH request');
+    sinon.stub(request, 'post').callsFake(async opts => {
+      if (opts.url === 'https://graph.microsoft.com/v1.0/myorganization/applications' &&
+        JSON.stringify(opts.data) === JSON.stringify({
+          "displayName": "My Microsoft Entra app",
+          "signInAudience": "AzureADMyOrg",
+          "publicClient": {
+            "redirectUris": [
+              "msauth://code/msauth.com.contoso.app%3A%2F%2Fauth",
+              "msauth.com.contoso.app://auth"
+            ]
+          }
+        })) {
+        return {
+          "id": "f1bb2138-bff1-491e-b082-9f447f3742b8",
+          "deletedDateTime": null,
+          "appId": "1ce0287c-9ccc-457e-a0cf-3ec5b734c092",
+          "applicationTemplateId": null,
+          "createdDateTime": "2020-12-31T14:56:17.4207858Z",
+          "displayName": "My Microsoft Entra app",
+          "description": null,
+          "groupMembershipClaims": null,
+          "identifierUris": [],
+          "isDeviceOnlyAuthSupported": null,
+          "isFallbackPublicClient": null,
+          "notes": null,
+          "optionalClaims": null,
+          "publisherDomain": "M365x271534.onmicrosoft.com",
+          "signInAudience": "AzureADMyOrg",
+          "tags": [],
+          "tokenEncryptionKeyId": null,
+          "verifiedPublisher": {
+            "displayName": null,
+            "verifiedPublisherId": null,
+            "addedDateTime": null
+          },
+          "spa": {
+            "redirectUris": []
+          },
+          "defaultRedirectUri": null,
+          "addIns": [],
+          "api": {
+            "acceptMappedClaims": null,
+            "knownClientApplications": [],
+            "requestedAccessTokenVersion": null,
+            "oauth2PermissionScopes": [],
+            "preAuthorizedApplications": []
+          },
+          "appRoles": [],
+          "info": {
+            "logoUrl": null,
+            "marketingUrl": null,
+            "privacyStatementUrl": null,
+            "supportUrl": null,
+            "termsOfServiceUrl": null
+          },
+          "keyCredentials": [],
+          "parentalControlSettings": {
+            "countriesBlockedForMinors": [],
+            "legalAgeGroupRule": "Allow"
+          },
+          "passwordCredentials": [],
+          "publicClient": {
+            "redirectUris": [
+              "msauth://code/msauth.com.contoso.app%3A%2F%2Fauth",
+              "msauth.com.contoso.app://auth"
+            ]
+          },
+          "requiredResourceAccess": [],
+          "web": {
+            "homePageUrl": null,
+            "logoutUrl": null,
+            "redirectUris": [],
+            "implicitGrantSettings": {
+              "enableAccessTokenIssuance": false,
+              "enableIdTokenIssuance": false
+            }
+          }
+        };
+      }
+
+      throw `Invalid POST request: ${JSON.stringify(opts, null, 2)}`;
+    });
+
+    await command.action(logger, {
+      options: {
+        name: 'My Microsoft Entra app',
+        platform: 'apple',
+        bundleId: 'com.contoso.app'
+      }
+    });
+    assert(loggerLogSpy.calledWith({
+      appId: '1ce0287c-9ccc-457e-a0cf-3ec5b734c092',
+      objectId: 'f1bb2138-bff1-491e-b082-9f447f3742b8',
+      tenantId: ''
+    }));
+  });
+
+  it('creates Microsoft Entra app reg for an android app with the specified redirect URI', async () => {
+    sinon.stub(request, 'get').rejects('Issues GET request');
+    sinon.stub(request, 'patch').rejects('Issued PATCH request');
+    sinon.stub(request, 'post').callsFake(async opts => {
+      if (opts.url === 'https://graph.microsoft.com/v1.0/myorganization/applications' &&
+        JSON.stringify(opts.data) === JSON.stringify({
+          "displayName": "My Microsoft Entra app",
+          "signInAudience": "AzureADMyOrg",
+          "publicClient": {
+            "redirectUris": [
+              "msauth://com.contoso.app/2pmj9i4rSx0yEb%2FviWBYkE%2FZQrk%3D"
+            ]
+          }
+        })) {
+        return {
+          "id": "f1bb2138-bff1-491e-b082-9f447f3742b8",
+          "deletedDateTime": null,
+          "appId": "1ce0287c-9ccc-457e-a0cf-3ec5b734c092",
+          "applicationTemplateId": null,
+          "createdDateTime": "2020-12-31T14:56:17.4207858Z",
+          "displayName": "My Microsoft Entra app",
+          "description": null,
+          "groupMembershipClaims": null,
+          "identifierUris": [],
+          "isDeviceOnlyAuthSupported": null,
+          "isFallbackPublicClient": null,
+          "notes": null,
+          "optionalClaims": null,
+          "publisherDomain": "M365x271534.onmicrosoft.com",
+          "signInAudience": "AzureADMyOrg",
+          "tags": [],
+          "tokenEncryptionKeyId": null,
+          "verifiedPublisher": {
+            "displayName": null,
+            "verifiedPublisherId": null,
+            "addedDateTime": null
+          },
+          "spa": {
+            "redirectUris": []
+          },
+          "defaultRedirectUri": null,
+          "addIns": [],
+          "api": {
+            "acceptMappedClaims": null,
+            "knownClientApplications": [],
+            "requestedAccessTokenVersion": null,
+            "oauth2PermissionScopes": [],
+            "preAuthorizedApplications": []
+          },
+          "appRoles": [],
+          "info": {
+            "logoUrl": null,
+            "marketingUrl": null,
+            "privacyStatementUrl": null,
+            "supportUrl": null,
+            "termsOfServiceUrl": null
+          },
+          "keyCredentials": [],
+          "parentalControlSettings": {
+            "countriesBlockedForMinors": [],
+            "legalAgeGroupRule": "Allow"
+          },
+          "passwordCredentials": [],
+          "publicClient": {
+            "redirectUris": [
+              "msauth://com.contoso.app/2pmj9i4rSx0yEb%2FviWBYkE%2FZQrk%3D"
+            ]
+          },
+          "requiredResourceAccess": [],
+          "web": {
+            "homePageUrl": null,
+            "logoutUrl": null,
+            "redirectUris": [],
+            "implicitGrantSettings": {
+              "enableAccessTokenIssuance": false,
+              "enableIdTokenIssuance": false
+            }
+          }
+        };
+      }
+
+      throw `Invalid POST request: ${JSON.stringify(opts, null, 2)}`;
+    });
+
+    await command.action(logger, {
+      options: {
+        name: 'My Microsoft Entra app',
+        platform: 'android',
+        bundleId: 'com.contoso.app',
+        signatureHash: '2pmj9i4rSx0yEb/viWBYkE/ZQrk='
+      }
+    });
+    assert(loggerLogSpy.calledWith({
+      appId: '1ce0287c-9ccc-457e-a0cf-3ec5b734c092',
+      objectId: 'f1bb2138-bff1-491e-b082-9f447f3742b8',
+      tenantId: ''
+    }));
+  });
 });
diff --git a/src/m365/entra/commands/app/app-add.ts b/src/m365/entra/commands/app/app-add.ts
@@ -28,7 +28,7 @@ interface Options extends GlobalOptions, AppCreationOptions {
 }
 
 class EntraAppAddCommand extends GraphCommand {
-  private static entraApplicationPlatform: string[] = ['spa', 'web', 'publicClient'];
+  private static entraApplicationPlatform: string[] = ['spa', 'web', 'publicClient', 'apple', 'android'];
   private static entraAppScopeConsentBy: string[] = ['admins', 'adminsAndUsers'];
   private manifest: any;
   private appName: string = '';
@@ -72,7 +72,9 @@ class EntraAppAddCommand extends GraphCommand {
         certificateBase64Encoded: typeof args.options.certificateBase64Encoded !== 'undefined',
         certificateDisplayName: typeof args.options.certificateDisplayName !== 'undefined',
         grantAdminConsent: typeof args.options.grantAdminConsent !== 'undefined',
-        allowPublicClientFlows: typeof args.options.allowPublicClientFlows !== 'undefined'
+        allowPublicClientFlows: typeof args.options.allowPublicClientFlows !== 'undefined',
+        bundleId: typeof args.options.bundleId !== 'undefined',
+        signatureHash: typeof args.options.signatureHash !== 'undefined'
       });
     });
   }
@@ -132,6 +134,12 @@ class EntraAppAddCommand extends GraphCommand {
       {
         option: '--manifest [manifest]'
       },
+      {
+        option: '--bundleId [bundleId]'
+      },
+      {
+        option: '--signatureHash [signatureHash]'
+      },
       {
         option: '--save'
       },
@@ -203,6 +211,14 @@ class EntraAppAddCommand extends GraphCommand {
           }
         }
 
+        if (args.options.platform === 'apple' && !args.options.bundleId) {
+          return `When you use platform apple, you'll need to specify bundleId`;
+        }
+
+        if (args.options.platform === 'android' && (!args.options.bundleId || !args.options.signatureHash)) {
+          return `When you use platform android, you'll need to specify bundleId and signatureHash`;
+        }
+
         return true;
       },
     );

diff --git a/src/utils/entraApp.ts b/src/utils/entraApp.ts
@@ -39,6 +39,8 @@ export interface AppCreationOptions {
   certificateBase64Encoded?: string;
   certificateDisplayName?: string;
   allowPublicClientFlows?: boolean;
+  bundleId?: string;
+  signatureHash?: string;
 }
 
 export interface AppPermissions {
@@ -240,6 +242,23 @@ export const entraApp = {
       };
     }
 
+    if (options.platform === 'android') {
+      applicationInfo['publicClient'] = {
+        redirectUris: [
+          `msauth://${options.bundleId}/${formatting.encodeQueryParameter(options.signatureHash!)}`
+        ]
+      };
+    }
+
+    if (options.platform === 'apple') {
+      applicationInfo['publicClient'] = {
+        redirectUris: [
+          `msauth://code/msauth.${options.bundleId}%3A%2F%2Fauth`,
+          `msauth.${options.bundleId}://auth`
+        ]
+      };
+    }
+
     if (options.implicitFlow) {
       if (!applicationInfo.web) {
         applicationInfo.web = {};