Graph cmdlets and Azure AD App Registrations

I have been working a fair bit on Azure AD App Registrations using Graph cmdlets this past week.

There’s very little help available for most of these cmdlets so this post is meant to be a running reference for my future self on the stuff I figured out.

Application vs Service Principal

Get-MgApplication is for the App Registration.

Get-MgServicePrincipal is for the Enterprise Application (the Service Principal that gets created from the App Registration basically).


To search for an App Registration (and ditto for Service Principal just use the other cmdlet):

The result has an Id and AppId.

The AppId is the application/ client Id in the portal, but the Id is what you’ll need when dealing with Graph. In the portal this is the object Id.

For the next few sections assume I have an App Registration object stored in a variable:

Secrets & Certificates

The KeyCredentials property has the certificates. The PasswordCredentials property has the secrets. Both appear empty if you were to look at the application properties, so you’ll have to refer to them explicitly. For example:

This is because these properties are not pulled by default.

To add a secret use Add-MgApplicationPassword:

For certificates the corresponding Add-MgApplicationKey cmdlet doesn’t do the trick as it expects you to submit a “proof” signed with the key of an existing certificate. I haven’t managed to get this working though I have a question open on StackOverflow and Microsoft regarding this so I’ll update the post once I have an answer.

If the App Registration has no certificates currently then a different cmdlet Update-MgApplicationKey can help with certificates.

Information on the keyCredential resource type can be found at this link. The key thing is the key. If you are using Graph API directly this has to be a Base64 encoded version of the public certificate, converted via for example [System.Convert]::ToBase64String($Cert.GetRawCertData()). But when using the Graph cmdlets it has to be the binary version.

Type has to be AsymmetricX509Cert and Usage has to be Verify.

To remove secrets there’s the Remove-MgApplicationPassword. It needs the Id of the Key you want to remove.

For certificates, the Remove-MgApplicationKey won’t do the job for similar reasons as adding a certificate. Again, if it’s the last certificate that you want to remove then Update-MgApplication can help.

Owner Info

The output of Get-MgApplication does not include the owner info. For this you need Get-MgApplicationOwner.

The result is a GUID of the object who owns it, so a further call to Get-MgUser is required to convert this to a name. For instance:

Redirect Urls etc.

These can be for Web, Single Page Apps (SPA), and Mobile.

The corresponding properties for these are called web, spa, and publicClient. The web property gives the redirectUris and also implicitGrantSettings.

The spa and publicClient properties give the redirectUris.