Is there a way to retrieve cloud application details using the App ID (Client ID) of an application?

Question

I'm looking for a way to retrieve all details for an application using its Application ID (client_id). Something similar to the Graph endpoint https://graph.microsoft.com/v1.0/servicePrincipals?$search="appId:<client_id>", but this endpoint only returns data if the Application is used somewhere in my own tenant. I'm looking for a globally available method to retrieve this information all possibly available applications. Specifically looking for information on whether the publisher of an application is verified.

Some of the information I'm looking for is also available by calling https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>

For example when using the client_id for the GMail app, calling this URL https://login.microsoftonline.com/common/adminconsent?client_id=2cee05de-2b8f-45a2-8289-2a06ca32c4c8 will prompt me for consent and shows me the name, publisher, logo and validation status. In this gase: Gmail, Google LLC and it's a verified publisher. I want to be able to retrieve this information programatically so I can enrich user consent warnings with this information in my SIEM across multiple tenants.

Any ideas? Thanks in advance!

Answer 1

Hi @Vaisha Bernard · Welcome to Q&A platform and thanks for your query.

Unfortunately this is not possible. You can fetch all the details of a given application only when you have permission to read the application objects in the tenant where the application is registered, which require roles such as application developer/application admin/cloud application admin/global admin etc. to be assigned to the user.

Also, from engineering perspective, searching an application globally with App ID without tenant info. will be a very intensive query as the search would need to be performed against millions of Azure AD tenants.

The example that you have shared only works for multi-tenant applications and can't be used for single tenant apps. The purpose of the adminconsent endpoint is, for admins to review the publisher and permissions, that application will be having in the tenant after the admin grants consent and creates a service principal corresponding to the app in his tenant. Also, this is not an efficient way of fetching the information.

Feel free to tag me in your reply if you have any further questions.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

@AmanpreetSingh-MSFT Thank you for your answer! We indeed only need this information for multi-tentant applications. I understand the purpose of the adminconsent endpoint, that's why I am looking for another way to retrieve the same information. Given that the adminconsent endpoint is able to show this information, the information itself is not restricted. So I suppose there should be no objection to be able to retrieve it in any other way?

I'm asking because we spcifically monitor and review these consent to application alerts across multiple tenants and many users. Our job would be a lot easier if we are able to enrich the information we receive (the client_id of the application) with the publisher and whether the publisher is verified. In that way if we have to review a consent to an application alert hypothetically called "gmall" with publisher "Googie", and status "unverified", we can more easily escalate the alert to an incident as this is almost certainly a malicious application.

Answer 3

Hi @Vaisha Bernard · This is not possible. If information is exposed via consent framework, that doesn't mean, the information can be fetched via any other way as well.