How to identify and create Service Principals of type "Enterprise Applications"

Dean Egan 20 Reputation points


On the EntraID UI, when you go to Home --> Enterprise Applications --> All Applications, there is a default filter called "Application type == Enterprise Application".

When you download the csv from this page, you get an export of all Service Principals, i.e. not just Application type == Enterprise Application.

From this csv, I can see there are multiple different types of applications - Enterprise Application, Managed Identity, Microsoft Application, and there are some Service Principals with no application type (it is blank).

When I use the Get-MgServicePrincipal cmdlet in Powershell (or the http endpoint), there is no field called "applicationType". There is no way to identify the service principals that are Enterprise applications, Microsoft applications, managed identities, or no application type - like it does in the csv export.

Then on the flip of that, when I use New-MgServicePrincipal cmdlet in Powershell (or the http endpoint) to create a new Service Principal, there is no way to set it so that it is a Service Principal that is Enterprise application or Microsoft application, etc.. in fact, when I created a test service principal using the cmdlet, i can see that the applicationType value in the csv export is blank.

Can someone please help me in creating a Service Principals and setting it so that it is application type of Enterprise Application and also how to identify the different application types using the API?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,409 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,610 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 100.1K Reputation points MVP

    All those are service principal objects. The ones designated as "Microsoft applications" are first-part ones, corresponding to apps developed by Microsoft, though there are some exceptions. The "Enterprise applications" view is a filter based on the tag "WindowsAzureActiveDirectoryIntegratedApp". So if you want to list only those, you'd use:

    Get-MgBetaServicePrincipal -All -Filter "tags/any(t:t eq 'WindowsAzureActiveDirectoryIntegratedApp')"

    whereas the same query without a filter will return all service principals (including "Microsoft applications" and managed identities).

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Dean Egan 20 Reputation points

    Thank you very much for your help with this @Vasil Michev ! The Tag field was exactly what I needed.

    0 comments No comments