Get-EntraServicePrincipal
Gets a service principal.
Syntax
Get-EntraServicePrincipal
[-Top <Int32>]
[-All]
[-Filter <String>]
[-Property <String[]>]
[<CommonParameters>] Get-EntraServicePrincipal
[-SearchString <String>]
[-All]
[-Property <String[]>]
[<CommonParameters>] Get-EntraServicePrincipal
-ServicePrincipalId <String>
[-All]
[-Property <String[]>]
[<CommonParameters>] Description
The Get-EntraServicePrincipal cmdlet gets a service principal in Microsoft Entra ID.
Examples
Example 1: Retrieve all service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal
ObjectId AppId DisplayName
-------- ----- -----------
bbbbbbbb-1111-2222-3333-cccccccccccc 00001111-aaaa-2222-bbbb-3333cccc4444 Demo App
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 22223333-cccc-4444-dddd-5555eeee6666 Demo Two App
dddddddd-3333-4444-5555-eeeeeeeeeeee 33334444-dddd-5555-eeee-6666ffff7777 ProjectWorkManagementThis example retrieves all service principals from the directory.
Example 2: Retrieve a service principal by ServicePrincipalId
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -ServicePrincipalId 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb'
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
M365 License Manager aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs ApplicationThis command retrieves specific service principal.
-ServicePrincipalIdParameter specifies the ID of a service principal.
Example 3: Retrieve all service principals from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -All
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
M365 License Manager aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
ProvisioningPowerBi cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 ApplicationThis example retrieves all service principals from the directory.
Example 4: Retrieve top two service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Top 2
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
M365 License Manager aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs ApplicationThis command retrieves top two service principals from the directory.
Example 5: Get a service principal by display name
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "DisplayName eq 'M365 License Manager'"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
M365 License Manager aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs ApplicationThis example gets a service principal by its display name.
Example 6: Retrieve a list of all service principal, which has a display name that contains "M365 License Manager"
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -SearchString 'M365 License Manager'
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
M365 License Manager aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs ApplicationThis example gets a list of service principal, which has the specified display name.
Example 7: Retrieve all Enterprise apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryIntegratedApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Enterprise App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
Enterprise App2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs ApplicationThis example demonstrates how to retrieve all enterprise apps.
Example 8: Retrieve all App proxy apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryOnPremApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App proxy 1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
App proxy 2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs ApplicationThis example demonstrates how to retrieve all app proxy apps.
Example 9: Retrieve all disabled apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "accountEnabled eq false"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Disabled App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 ApplicationThis example demonstrates how to retrieve all disabled apps.
Example 10: Retrieve all Global Secure Access apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -Filter "tags/Any(x: x eq 'PrivateAccessNonWebApplication') or tags/Any(x: x eq 'NetworkAccessManagedApplication')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Global secure access app 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 ApplicationThis example demonstrates how to retrieve all Global secure access apps.
Example 11: List all applications without user assignment
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraServicePrincipal -All | Where-Object {$_.appRoleAssignmentRequired -ne 'true'}
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App without user assignment 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 ApplicationThis example demonstrates how to retrieve all applications without user assignment.
Example 12: List all SAML application details
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "PreferredSingleSignOnMode eq 'saml'"
$servicePrincipal | Select-Object Id, DisplayName, AccountEnabled, AppId, PreferredSingleSignOnMode, AppRoleAssignmentRequired, SignInAudience, NotificationEmailAddresses, PreferredTokenSigningKeyEndDateTime, PreferredTokenSigningKeyValid, ReplyUrls,LoginUrl, LogoutUrl | Format-Table -AutoSize
Id DisplayName AccountEnabled AppId PreferredSingleSignOnMode AppRoleAssignmentRequired SignInAudience NotificationEmailAddresses
-- ----------- -------------- ----- ------------------------- ------------------------- -------------- --------------
00001111-aaaa-2222-bbbb-3333cccc4444 SAML App True 33334444-dddd-5555-eeee-6666ffff7777 saml True AzureADMyOrg {admin@Contoso}This example demonstrates how to retrieve all SAML application details.
Parameters
-All
List all pages.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Filter
Specifies an OData v4.0 filter statement. This parameter controls which objects are returned.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Property
Specifies properties to be returned.
| Type: | System.String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SearchString
Specifies a search string.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServicePrincipalId
Specifies the ID of a service principal in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Top
Specifies the maximum number of records to return.
| Type: | System.Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |