Manage apps
Your app needs to be registered in Microsoft Entra ID before the Microsoft identity platform can authorize it to access data stored in Microsoft Entra or Microsoft 365 tenants. This condition applies to apps that you develop yourself, that your tenant owns, or that you access through an active subscription.
Many settings for apps are recorded as objects that can be accessed, updated, or deleted using Microsoft Entra PowerShell. In this article, you learn how to use Microsoft Entra PowerShell to manage app and service principal objects.
Prerequisites
To manage apps with Microsoft Entra PowerShell, you need:
- A Microsoft Entra user account. If you don't already have one, you can create an account for free.
- Grant yourself the least privileged delegated permission indicated for the operation.
- Microsoft Entra PowerShell module installed. Follow the Install Microsoft Entra PowerShell module guide to install the module.
Register an application
The following request creates an app by specifying only the required displayName property.
Connect-Entra -Scopes 'Application.ReadWrite.All'
New-EntraApplication -DisplayName 'My new application'
DisplayName Id AppId SignInAudience PublisherDomain
----------- -- ----- -------------- -----------
My new application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb bbbbbbbb-1111-2222-3333-cccccccccccc MyOrg
The application is assigned an ID that's unique for apps in the tenant, and an appId that's globally unique in the Microsoft Entra ecosystem.
Create a service principal for an application
Connect-Entra -Scopes 'Application.ReadWrite.All'
$myApp=(Get-EntraApplication -Filter "DisplayName eq 'My new application'")
New-EntraServicePrincipal -AppId $myApp.AppId
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
My new application bbbbbbbb-1111-2222-3333-cccccccccccc 00001111-aaaa-2222-bbbb-3333cccc4444 MyOrg Application
Configure basic properties for your app
You can configure multiple properties for your app. The following example shows how to update the display name of an application.
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$parameters = @{
ApplicationId = $application.Id
DisplayName = 'Contoso application'
}
Set-EntraApplication @parameters
The following example shows how to update the sign out url of an application:
Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$appParams = @{
ApplicationId = $application.Id
LogoutUrl = 'https://contoso.com/Security/ADFS.aspx/logout'
}
Set-EntraApplication @appParams
For more information, see Set-EntraApplication.
Limit app sign-in to only assigned identities
Limiting app sign-ins to only assigned identities using Microsoft Entra PowerShell ensures that only authorized users can access your applications, thereby enhancing security and control.
Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$servicePrincipalParams = @{
ServicePrincipalId = $application.Id
AppRoleAssignmentRequired = $True
}
Set-EntraServicePrincipal @servicePrincipalParams
Assign permissions to an app
You assign permissions to an app through the Microsoft Entra admin center or by using Microsoft Entra PowerShell. In PowerShell, you update the app's requiredResourceAccess property, including both existing and new permissions. If you only pass in new permissions, it removes any existing permissions that haven't been consented to.
Assigning permissions doesn't automatically grant them to the app. You must still grant admin consent using the Microsoft Entra admin center.
Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$requiredResourceAccess = @(
@{resourceAppId = '00000003-0000-0000-c000-000000000000'
resourceAccess = @(
@{
id = 'c79f8feb-a9db-4090-85f9-90d820caa0eb'
type = 'Scope'
}
@{
id = '9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30'
type = 'Role'
} )})
Set-EntraApplication -ApplicationId $application.Id -RequiredResourceAccess $requiredResourceAccess
Manage owners
Retrieve the owner of a service principal
Connect-Entra -Scopes 'Application.ReadWrite.All'
$servicePrincipalId = (Get-EntraServicePrincipal -Top 1).Id
Get-EntraServicePrincipalOwner -ServicePrincipalId $servicePrincipalId
Assign an owner to a service principal
Connect-Entra -Scopes 'Application.ReadWrite.All'
$servicePrincipalId = (Get-EntraServicePrincipal -Top 1).Id
$ownerId = (Get-EntraUser -Top 1).Id
$params = @{
ServicePrincipalId = $servicePrincipalId
RefObjectId = $ownerId
}
Add-EntraServicePrincipalOwner @params
This example shows how to add an owner to a service principal.
-ServicePrincipalId- specifies the unique identifier (ObjectId) of the service principal to which you want to add an owner.-RefObjectId- specifies the unique identifier (ObjectId) of the user or group that you want to add as an owner of the specified service principal.
Get a list of all applications without user assignment
To get a list of all applications that don't require user assignment, use the following command.
Connect-Entra -Scopes 'Application.ReadWrite.All'
Get-EntraServicePrincipal -All | Where-Object {$_.appRoleAssignmentRequired -ne 'True'}
DisplayName Id AppId SignInAudience ServicePrincipalType
----------------------------------- ----------------------------------- --------------------------------- ----------------- ------------------
Microsoft password reset service 00aa00aa-bb11-cc22-dd33-44ee44ee44ee 93625bc8-bfe2-437a-97e0-3d0060024faa AzureADMultipleOrgs Application
Microsoft.Azure.SyncFabric 11bb11bb-cc22-dd33-ee44-55ff55ff55ff 00000014-0000-0000-c000-000000000000 AzureADMultipleOrgs Application
Azure Security Insights 22cc22cc-dd33-ee44-ff55-66aa66aa66aa 98785600-1bb7-4fb9-b9fa-19afe2c8a360 AzureADMultipleOrgs Application