Get-EntraServicePrincipal
Gets a service principal.
Syntax
Get-EntraServicePrincipal
[-Top <Int32>]
[-All]
[-Filter <String>]
[-Property <String[]>]
[<CommonParameters>] Get-EntraServicePrincipal
[-SearchString <String>]
[-All]
[-Property <String[]>]
[<CommonParameters>] Get-EntraServicePrincipal
-ServicePrincipalId <String>
[-All]
[-Property <String[]>]
[<CommonParameters>] Description
The Get-EntraServicePrincipal cmdlet gets a service principal in Microsoft Entra ID.
Examples
Example 1: Retrieve all service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal
ObjectId AppId DisplayName
-------- ----- -----------
bbbbbbbb-1111-2222-3333-cccccccccccc 00001111-aaaa-2222-bbbb-3333cccc4444 Demo App
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 22223333-cccc-4444-dddd-5555eeee6666 Demo Two App
dddddddd-3333-4444-5555-eeeeeeeeeeee 33334444-dddd-5555-eeee-6666ffff7777 ProjectWorkManagementThis example retrieves all service principals from the directory.
Example 2: Retrieve a service principal by ServicePrincipalId
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraServicePrincipal -ServicePrincipalId $servicePrincipal.Id
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs ApplicationThis command retrieves specific service principal.
-ServicePrincipalIdParameter specifies the ID of a service principal.
Example 3: Retrieve all service principals from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -All
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
ProvisioningPowerBi cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 ApplicationThis example retrieves all service principals from the directory.
Example 4: Retrieve top two service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Top 2
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs ApplicationThis command retrieves top two service principals from the directory. You can use -Limit as an alias for -Top.
Example 5: Get a service principal by display name
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs ApplicationThis example gets a service principal by its display name.
Example 6: Retrieve a list of all service principal, which has a display name that contains "Helpdesk Application"
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -SearchString 'Helpdesk Application'
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs ApplicationThis example gets a list of service principal, which has the specified display name.
Example 7: Retrieve all Enterprise apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryIntegratedApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Enterprise App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
Enterprise App2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs ApplicationThis example demonstrates how to retrieve all enterprise apps.
Example 8: Retrieve all App proxy apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryOnPremApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App proxy 1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
App proxy 2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs ApplicationThis example demonstrates how to retrieve all app proxy apps.
Example 9: Retrieve all disabled apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "accountEnabled eq false"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Disabled App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 ApplicationThis example demonstrates how to retrieve all disabled apps.
Example 10: Retrieve all Global Secure Access apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "tags/Any(x: x eq 'PrivateAccessNonWebApplication') or tags/Any(x: x eq 'NetworkAccessManagedApplication')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Global secure access app 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 ApplicationThis example demonstrates how to retrieve all Global secure access apps.
Example 11: List all applications without user assignment
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -All | Where-Object {$_.appRoleAssignmentRequired -ne 'true'}
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App without user assignment 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 ApplicationThis example demonstrates how to retrieve all applications without user assignment.
Example 12: List all SAML application details
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "PreferredSingleSignOnMode eq 'saml'"
$servicePrincipal | Select-Object Id, DisplayName, AccountEnabled, AppId, PreferredSingleSignOnMode, AppRoleAssignmentRequired, SignInAudience, NotificationEmailAddresses, PreferredTokenSigningKeyEndDateTime, PreferredTokenSigningKeyValid, ReplyUrls,LoginUrl, LogoutUrl | Format-Table -AutoSize
Id DisplayName AccountEnabled AppId PreferredSingleSignOnMode AppRoleAssignmentRequired SignInAudience NotificationEmailAddresses
-- ----------- -------------- ----- ------------------------- ------------------------- -------------- --------------
00001111-aaaa-2222-bbbb-3333cccc4444 SAML App True 33334444-dddd-5555-eeee-6666ffff7777 saml True AzureADMyOrg {admin@Contoso}This example demonstrates how to retrieve all SAML application details.
Example 13: List service principal app roles
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -SearchString 'Contoso Helpdesk Application'
$servicePrincipal.AppRoles | Format-Table -AutoSize
AllowedMemberTypes Description DisplayName Id IsEnabled Origin Value
------------------ ----------- ----------- -- --------- ------ -----
{User, Application} General All General All gggggggg-6666-7777-8888-hhhhhhhhhhhh True Application Survey.Read
{Application} General App Only General Apponly hhhhhhhh-7777-8888-9999-iiiiiiiiiiii True Application Task.Write
{User} General role General bbbbbbbb-1111-2222-3333-cccccccccccc True Application GeneralThis example shows how you can retrieve app roles for a service principal.
Example 14: List applications (service principals) outside my tenant
Connect-Entra -Scopes 'Application.Read.All'
$tenantId = Get-EntraContext | Select-Object -ExpandProperty TenantId
$servicePrincipals = Get-EntraServicePrincipal -All -Property AppOwnerOrganizationId, Id, DisplayName, AppId
$externalServicePrincipals = $servicePrincipals | Where-Object { $_.AppOwnerOrganizationId -ne $tenantId }
$externalServicePrincipals | Select-Object DisplayName, Id, AppId, AppOwnerOrganizationId | Format-Table -AutoSize
DisplayName Id AppId AppOwnerOrganizationId
----------- -- ----- ----------------------
Azure MFA StrongAuthenticationService aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 f8cdef31-a31e-4b4a-93e4-5f571e91255a
M365 Label Analytics bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 f8cdef31-a31e-4b4a-93e4-5f571e91255a
PowerApps-Advisor cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 f8cdef31-a31e-4b4a-93e4-5f571e91255aThis example shows how you can retrieve applications (service principals) outside my tenant.
Parameters
-All
List all pages.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Filter
Specifies an OData v4.0 filter statement. This parameter controls which objects are returned.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Property
Specifies properties to be returned.
| Type: | System.String[] |
| Aliases: | Select |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SearchString
Specifies a search string.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServicePrincipalId
Specifies the ID of a service principal in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Top
Specifies the maximum number of records to return.
| Type: | System.Int32 |
| Aliases: | Limit |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |