Manage apps
An app needs to be registered in Microsoft Entra ID before the Microsoft identity platform can authorize it to access data stored in Microsoft Entra or Microsoft 365 tenants. This condition applies to apps that you develop yourself, that your tenant owns, or that you access through an active subscription.
Many settings for apps are recorded as objects that can be accessed, updated, or deleted using Microsoft Entra PowerShell. These objects include applications, service principals, and app role assignments.
In this article, you learn how to manage app registrations and service principal objects using Microsoft Entra PowerShell. It covers registering applications, configuring properties, assigning permissions, and managing app ownership.
Prerequisites
To manage apps with Microsoft Entra PowerShell, you need:
- A Microsoft Entra user account. If you don't already have one, you can create an account for free.
- One of the following roles:
- Grant yourself the least privileged delegated permission indicated for the operation.
- Microsoft Entra PowerShell module installed. Follow the Install Microsoft Entra PowerShell module guide to install the module.
Register an application
The following request creates an app by specifying only the required displayName property.
Connect-Entra -Scopes 'Application.ReadWrite.All'
New-EntraApplication -DisplayName 'My new application'
DisplayName Id AppId SignInAudience PublisherDomain
----------- -- ----- -------------- -----------
My new application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb bbbbbbbb-1111-2222-3333-cccccccccccc MyOrg
The application is assigned an ID that's unique for apps in the tenant, and an appId that's globally unique in the Microsoft Entra ecosystem.
Create a service principal for an application
Connect-Entra -Scopes 'Application.ReadWrite.All'
$myApp = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
New-EntraServicePrincipal -AppId $myApp.AppId -DisplayName 'My new service principal'
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
My new application bbbbbbbb-1111-2222-3333-cccccccccccc 00001111-aaaa-2222-bbbb-3333cccc4444 MyOrg Application
Configure basic properties for your app
You can configure multiple properties for your app. The following example shows how to update the display name of an application.
Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
Set-EntraApplication -ApplicationId $application.Id -DisplayName 'Contoso application'
Alternatively, use pipelining to update properties of an application.
Connect-Entra -Scopes 'Application.ReadWrite.All'
Get-EntraApplication -Filter "DisplayName eq 'My new application'" | Set-EntraApplication -DisplayName 'Contoso application'
For more information, see Set-EntraApplication.
Limit app sign-in to only assigned identities
Limiting app sign-ins to only assigned identities using Microsoft Entra PowerShell ensures that only authorized users can access your applications, enhancing security and control.
Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
Set-EntraServicePrincipal -ServicePrincipalId $application.Id -AppRoleAssignmentRequired $true
Assign permissions to an app
You assign permissions to an app through the Microsoft Entra admin center or by using Microsoft Entra PowerShell. In PowerShell, you update the app's requiredResourceAccess property, including both existing and new permissions. Passing only new permissions removes any existing ones that aren't consented to.
Assigning permissions doesn't automatically grant them to the app. You must still grant admin consent using the Microsoft Entra admin center.
Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$requiredResourceAccess = @(
@{resourceAppId = '00000003-0000-0000-c000-000000000000'
resourceAccess = @(
@{
id = 'c79f8feb-a9db-4090-85f9-90d820caa0eb'
type = 'Scope'
}
@{
id = '9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30'
type = 'Role'
} )
})
Set-EntraApplication -ApplicationId $application.Id -RequiredResourceAccess $requiredResourceAccess
Manage owners
Retrieve the owner of a service principal
Connect-Entra -Scopes 'Application.ReadWrite.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraServicePrincipalOwner -ServicePrincipalId $servicePrincipal.Id -All | Select-Object Id, DisplayName, '@odata.type'
Alternatively, use pipelining to retrieve the service principal's owner.
Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'" | Get-EntraServicePrincipalOwner | Select-Object Id, DisplayName, '@odata.type'
Assign an owner to a service principal
Connect-Entra -Scopes 'Application.ReadWrite.All', 'Application.ReadWrite.OwnedBy'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
$owner = Get-EntraUser -UserId 'SawyerM@contoso.com'
Add-EntraServicePrincipalOwner -ServicePrincipalId $servicePrincipal.Id -OwnerId $owner.Id
This example shows how to add an owner to a service principal.
-ServicePrincipalId- specifies the unique identifier (ObjectId) of the service principal to which you want to add an owner.-OwnerId- specifies the unique identifier (ObjectId) of the user or group that you want to add as an owner of the specified service principal.
Get a list of all applications without user assignment
To get a list of all applications that don't require user assignment, use the following command.
Connect-Entra -Scopes 'Application.ReadWrite.All'
Get-EntraServicePrincipal -All | Where-Object {$_.appRoleAssignmentRequired -ne 'True'}
DisplayName Id AppId SignInAudience ServicePrincipalType
----------------------------------- ----------------------------------- --------------------------------- ----------------- ------------------
Microsoft password reset service 00aa00aa-bb11-cc22-dd33-44ee44ee44ee 93625bc8-bfe2-437a-97e0-3d0060024faa AzureADMultipleOrgs Application
Microsoft.Azure.SyncFabric 11bb11bb-cc22-dd33-ee44-55ff55ff55ff 00000014-0000-0000-c000-000000000000 AzureADMultipleOrgs Application
Azure Security Insights 22cc22cc-dd33-ee44-ff55-66aa66aa66aa 98785600-1bb7-4fb9-b9fa-19afe2c8a360 AzureADMultipleOrgs Application
Retrieving objects owned or created by a service principal
Objects created by a service principal
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraServicePrincipalCreatedObject -ServicePrincipalId $servicePrincipal.Id
Objects owned by a service principal
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraServicePrincipalOwnedObject -ServicePrincipalId $servicePrincipal.Id -All | Select-Object Id, DisplayName, '@odata.type'
Applications with expiring secrets and certificates
Expiring application secrets or passwords
$expirationThreshold = (Get-Date).AddDays(30)
$appsWithExpiringPasswords = Get-EntraApplication -All | Where-Object { $_.PasswordCredentials } |
ForEach-Object {
$app = $_
$app.PasswordCredentials | Where-Object { $_.EndDate -le $expirationThreshold } |
ForEach-Object {
[PSCustomObject]@{
DisplayName = $app.DisplayName
AppId = $app.AppId
SecretDisplayName = $_.DisplayName
KeyId = $_.KeyId
ExpiringSecret = $_.EndDate
}
}
}
$appsWithExpiringPasswords | Format-Table DisplayName, AppId, SecretDisplayName, KeyId, ExpiringSecret -AutoSize
Expiring certificates
$expirationThreshold = (Get-Date).AddDays(30)
$appsWithExpiringKeys = Get-EntraApplication -All | Where-Object { $_.KeyCredentials } |
ForEach-Object {
$app = $_
$app.KeyCredentials | Where-Object { $_.EndDate -le $expirationThreshold } |
ForEach-Object {
[PSCustomObject]@{
DisplayName = $app.DisplayName
AppId = $app.AppId
CertificateDisplayName = $_.DisplayName
KeyId = $_.KeyId
ExpiringKeys = $_.EndDate
}
}
}
$appsWithExpiringKeys | Format-Table DisplayName, AppId, CertificateDisplayName, KeyId, ExpiringKeys -AutoSize