Edit

List servicePrincipals

  • Article

Namespace: microsoft.graph

Retrieve a list of servicePrincipal objects.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Application.Read.All Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported. Not supported.
Application Application.Read.All Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All

Note

The Application.ReadWrite.OwnedBy permission allows an app to call GET /applications and GET /servicePrincipals to list all applications and service principals in the tenant. This scope of access has been allowed for the permission.

HTTP request

GET /servicePrincipals

Optional query parameters

This method supports the $count, $expand, $filter, $orderby, $search, $select, and $top OData query parameters to help customize the response. The default and maximum page sizes are 100 and 999 service principal objects respectively. Some queries are supported only when you use the ConsistencyLevel header set to eventual and $count. For more information, see Advanced query capabilities on directory objects.

By default, this API doesn't return the value of the key in the keyCredentials property when listing all service principals. To retrieve the public key info in key, the keyCredentials property must be specified in a $select query. For example, $select=id,appId,keyCredentials.

The use of $select to get keyCredentials for service principals has a throttling limit of 150 requests per minute for every tenant.

Request headers

Name Description
Authorization Bearer {token}. Required.
ConsistencyLevel eventual. This header and $count are required when using $search, or when using $filter with the $orderby query parameter. It uses an index that may not be up-to-date with recent changes to the object.

Request body

Don't supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and collection of servicePrincipal objects in the response body.

Examples

Example 1: Get a list of service principals

Request

The following example shows a request.

GET https://graph.microsoft.com/v1.0/servicePrincipals

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "accountEnabled":true,
      "displayName":"amasf",
      "servicePrincipalType":"Application",
      "signInAudience":"AzureADMyOrg"
    }
  ]
}

Example 2: Get only a count of service principals

Request

The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $count is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/v1.0/servicePrincipals/$count
ConsistencyLevel: eventual

Response

The following example shows the response.

HTTP/1.1 200 OK
Content-type: text/plain

893

Example 3: Use $filter and $top to get one service principal with a display name that starts with 'a' including a count of returned objects

Request

The following example shows a request. This request requires the ConsistencyLevel header set to eventual and the $count=true query string because the request has both the $orderby and $filter query parameters. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith(displayName, 'a')&$count=true&$top=1&$orderby=displayName
ConsistencyLevel: eventual

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals",
  "@odata.count":1,
  "value":[
    {
      "accountEnabled":true,
      "displayName":"a",
      "servicePrincipalType":"Application",
      "signInAudience":"AzureADMyOrg"
    }
  ]
}

Example 4: Use $search to get service principals with display names that contain the letters 'Team' including a count of returned objects

Request

The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $search and the $count=true query string is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/v1.0/servicePrincipals?$search="displayName:Team"&$count=true&$select=accountEnabled,displayName,publisherName,servicePrincipalType,signInAudience
ConsistencyLevel: eventual

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(accountEnabled,displayName,publisherName,servicePrincipalType,signInAudience)",
  "@odata.count":1396,
  "value":[
    {
      "accountEnabled":true,
      "displayName":"myContosoTeam",
      "servicePrincipalType":"Application",
      "signInAudience":"AzureADMyOrg"
    }
  ]
}

Example 5: Get service principals with less than two owners

Request

Here is an example of the request. This request requires the ConsistencyLevel header set to eventual because $count is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/v1.0/serviceprincipals?$filter=owners/$count eq 0 or owners/$count eq 1&$count=true&$select=id,displayName
ConsistencyLevel: eventual

Response

Here is an example of the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,displayName)",
    "@odata.count": 3,
    "value": [
        {
            "id": "c4ca17b7-4f3e-4c3a-b884-bfa4100c745d",
            "displayName": "Box"
        },
        {
            "id": "b5966bf3-e895-4f01-ae19-64f434c35b58",
            "displayName": "LinkedIn"
        },
        {
            "id": "ed17bd95-fbef-43eb-abea-9496e46eee42",
            "displayName": "BrowserStack"
        }
    ]
}