Gets a service principal.
[-Top <Int32>]
[-Filter <String>]
[-Property <String[]>]
[-SearchString <String>]
[-Property <String[]>]
-ServicePrincipalId <String>
[-Property <String[]>]
The Get-EntraBetaServicePrincipal
cmdlet gets a service principal in Microsoft Entra ID.
Example 1: Retrieve all service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
ProvisioningPowerBi cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 Application
This example retrieves all service principals from the directory.
Example 2: Retrieve a service principal by ServicePrincipalId
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraBetaServicePrincipal -ServicePrincipalId $servicePrincipal.Id
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
This command retrieves specific service principal.
Parameter specifies the ID of a service principal.
Example 3: Retrieve all service principals from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -All
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
ProvisioningPowerBi cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 Application
This example retrieves all service principals from the directory.
Example 4: Retrieve top two service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Top 2
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
This command retrieves top two service principals from the directory. You can use -Limit
as an alias for -Top
Example 5: Get a service principal by display name
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "DisplayName eq 'Helpdesk Application'"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
This example gets a service principal by its display name.
Example 6: Retrieve a list of all service principal, which has a display name that contains "Helpdesk Application"
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -SearchString 'Helpdesk Application'
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
This example gets a list of service principal, which has the specified display name.
Example 7: Retrieve all Enterprise apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryIntegratedApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Enterprise App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
Enterprise App2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs Application
This example demonstrates how to retrieve all enterprise apps.
Example 8: Retrieve all App proxy apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryOnPremApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App proxy 1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
App proxy 2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs Application
This example demonstrates how to retrieve all app proxy apps.
Example 9: Retrieve all disabled apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "accountEnabled eq false"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Disabled App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
This example demonstrates how to retrieve all disabled apps.
Example 10: Retrieve all Global Secure Access apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "tags/Any(x: x eq 'PrivateAccessNonWebApplication') or tags/Any(x: x eq 'NetworkAccessManagedApplication')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Global secure access app 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
This example demonstrates how to retrieve all Global secure access apps.
Example 11: List all applications without user assignment
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -All | Where-Object {$_.appRoleAssignmentRequired -ne 'true'}
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App without user assignment 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
This example demonstrates how to retrieve all applications without user assignment.
Example 12: List all SAML application details
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "PreferredSingleSignOnMode eq 'saml'"
$servicePrincipal | Select-Object Id, DisplayName, AccountEnabled, AppId, PreferredSingleSignOnMode, AppRoleAssignmentRequired, SignInAudience, NotificationEmailAddresses, PreferredTokenSigningKeyEndDateTime, PreferredTokenSigningKeyValid, ReplyUrls,LoginUrl, LogoutUrl | Format-Table -AutoSize
Id DisplayName AccountEnabled AppId PreferredSingleSignOnMode AppRoleAssignmentRequired SignInAudience NotificationEmailAddresses
-- ----------- -------------- ----- ------------------------- ------------------------- -------------- --------------
00001111-aaaa-2222-bbbb-3333cccc4444 SAML App True 33334444-dddd-5555-eeee-6666ffff7777 saml True AzureADMyOrg {admin@Contoso}
This example demonstrates how to retrieve all SAML application details.
Example 13: List service principal app roles
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraBetaServicePrincipal -SearchString 'Contoso Helpdesk Application'
$servicePrincipal.AppRoles | Format-Table -AutoSize
AllowedMemberTypes Description DisplayName Id IsEnabled Origin Value
------------------ ----------- ----------- -- --------- ------ -----
{User, Application} General All General All gggggggg-6666-7777-8888-hhhhhhhhhhhh True Application Survey.Read
{Application} General App Only General Apponly hhhhhhhh-7777-8888-9999-iiiiiiiiiiii True Application Task.Write
{User} General role General bbbbbbbb-1111-2222-3333-cccccccccccc True Application General
This example shows how you can retrieve app roles for a service principal.
Example 14: List applications (service principals) outside my tenant
Connect-Entra -Scopes 'Application.Read.All'
$tenantId = Get-EntraContext | Select-Object -ExpandProperty TenantId
$servicePrincipals = Get-EntraBetaServicePrincipal -All -Property AppOwnerOrganizationId, Id, DisplayName, AppId
$externalServicePrincipals = $servicePrincipals | Where-Object { $_.AppOwnerOrganizationId -ne $tenantId }
$externalServicePrincipals | Select-Object DisplayName, Id, AppId, AppOwnerOrganizationId | Format-Table -AutoSize
DisplayName Id AppId AppOwnerOrganizationId
----------- -- ----- ----------------------
Azure MFA StrongAuthenticationService aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 f8cdef31-a31e-4b4a-93e4-5f571e91255a
M365 Label Analytics bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 f8cdef31-a31e-4b4a-93e4-5f571e91255a
PowerApps-Advisor cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 f8cdef31-a31e-4b4a-93e4-5f571e91255a
This example shows how you can retrieve applications (service principals) outside my tenant.
List all pages.
Type: | System.Management.Automation.SwitchParameter |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an OData v4.0 filter statement. This parameter controls which objects are returned.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies properties to be returned.
Type: | System.String[] |
Aliases: | Select |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a search string.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies the ID of a service principal in Microsoft Entra ID.
Type: | System.String |
Aliases: | ObjectId |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies the maximum number of records to return.
Type: | System.Int32 |
Aliases: | Limit |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |