After creation, you need to create a service principal for that app to appear in "Enterprise applications":
| Entity | Endpoint | Tenant scope | Analogy | |--------|----------|--------------|---------| | Application | /v1.0/applications | Home tenant only | Blueprint | | Service Principal | /v1.0/servicePrincipals | One per tenant | Built house |
But $expand on passwordCredentials or keyCredentials is . Avoid it unless necessary. Instead, fetch apps first (no expand), then batch request credentials: https- graph.microsoft.com v1.0 applications
$body = @ displayName = "CI/CD Automation App" signInAudience = "AzureADMyOrg" keyCredentials = @( @ type = "AsymmetricX509Cert" usage = "Verify" key = $base64Cert startDateTime = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ") endDateTime = (Get-Date).AddYears(1).ToString("yyyy-MM-ddTHH:mm:ssZ")
In this post, we’ll tear down the endpoint, explore its hidden properties, look at real-world automation patterns, and cover the security pitfalls that even seasoned admins miss. Before writing code, we need to clear up a massive source of confusion. After creation, you need to create a service
If you manage identity in Microsoft 365, you’ve probably spent countless hours in the Azure AD portal clicking through "App registrations." But behind every click is a REST API call.
Query for apps with unused delegated permissions: Before writing code, we need to clear up
The endpoint https://graph.microsoft.com/v1.0/applications is the programmatic backbone of application identity management in Entra ID (formerly Azure AD). It’s powerful, subtle, and—if you’re not careful—dangerous.
POST /servicePrincipals
This reduces throttling risk and improves predictability. The /v1.0 endpoint is stable and production-safe. But missing features: