I have been working a fair bit on Azure AD App Registrations using Graph cmdlets this past week.
There’s very little help available for most of these cmdlets so this post is meant to be a running reference for my future self on the stuff I figured out.
Application vs Service Principal
Get-MgApplication is for the App Registration.
Get-MgServicePrincipal is for the Enterprise Application (the Service Principal that gets created from the App Registration basically).
Searching
To search for an App Registration (and ditto for Service Principal just use the other cmdlet):
|
1 2 3 4 5 6 7 8 |
# By AppId Get-MgApplication -All -Filter "AppId eq '9d2a2179-f98c-47fe-be39-a8c2103a5543'" # By Name Get-MgApplication -All -Filter "DisplayName eq 'Kamboocha'" # By Name (starting with) Get-MgApplication -Filter "startsWith(DisplayName,'My Apps')" |
The result has an Id and AppId.
|
1 2 3 |
Id DisplayName AppId SignInAudience PublisherDomain -- ----------- ----- -------------- --------------- d2d57545-6528-4faf-b5dc-a364051969cd Ragnarak - App1 9d2a2179-f98c-47fe-be39-a8c2103a5543 AzureADMyOrg ragnarak.onmicrosoft.com |
The AppId is the application/ client Id in the portal, but the Id is what you’ll need when dealing with Graph. In the portal this is the object Id.
For the next few sections assume I have an App Registration object stored in a variable:
|
1 |
$appRegObj = Get-MgApplication -All -Filter "DisplayName eq 'Test App'" |
Secrets & Certificates
The KeyCredentials property has the certificates. The PasswordCredentials property has the secrets. Both appear empty if you were to look at the application properties, so you’ll have to refer to them explicitly. For example:
|
1 |
Get-MgApplication -ApplicationId a2d57545-6528-4f1f-b5dc-a364051669cd).PasswordCredentials |
This is because these properties are not pulled by default.
To add a secret use Add-MgApplicationPassword:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$passwordCred = @{ "displayName" = $appRegNewSecretName "endDateTime" = (Get-Date).AddDays($newSecretExpiryDays) } $newSecretObj = $null # Send the request and get the new password $newSecretObj = Add-MgApplicationPassword -ApplicationId $appRegObject.Id -PasswordCredential $passwordCred if (!$newSecretObj) { Write-Error "Something went wrong. Unable to set the secret for $appRegId. Aborting." throw } |
For certificates the corresponding Add-MgApplicationKey cmdlet doesn’t do the trick as it expects you to submit a “proof” signed with the key of an existing certificate. I haven’t managed to get this working though I have a question open on StackOverflow and Microsoft regarding this so I’ll update the post once I have an answer.
If the App Registration has no certificates currently then a different cmdlet Update-MgApplicationKey can help with certificates.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
if ($IsWindows) { $pathSeparator = "\" } else { $pathSeparator = "/" } # Read the certificate $certData = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("$($Global:CertPath)${pathSeparator}${certname}") # Create a keyCredential hash table for use in the cmdlet $keyCreds = @{ Type = "AsymmetricX509Cert"; Usage = "Verify"; key = $certData.RawData } try { Update-MgApplication -ApplicationId $appRegObj.Id -KeyCredentials $keyCreds } catch { Write-Error $Error[0] } |
Information on the keyCredential resource type can be found at this link. The key thing is the key. If you are using Graph API directly this has to be a Base64 encoded version of the public certificate, converted via for example [System.Convert]::ToBase64String($Cert.GetRawCertData()). But when using the Graph cmdlets it has to be the binary version.
Type has to be AsymmetricX509Cert and Usage has to be Verify.
To remove secrets there’s the Remove-MgApplicationPassword. It needs the Id of the Key you want to remove.
|
1 2 3 |
Remove-MgApplicationPassword -ApplicationId $appRegObject.Id -KeyId $newSecretObj.KeyId # $newSecretObj is the output of Add-MgApplicationPassword earlier and thus has the Key Id. |
For certificates, the Remove-MgApplicationKey won’t do the job for similar reasons as adding a certificate. Again, if it’s the last certificate that you want to remove then Update-MgApplication can help.
|
1 |
Update-MgApplication -ApplicationId $appRegObj.Id -KeyCredentials @{} |
Owner Info
The output of Get-MgApplication does not include the owner info. For this you need Get-MgApplicationOwner.
|
1 2 3 4 5 |
Get-MgApplicationOwner -ApplicationId $appRegObj.Id Id DeletedDateTime -- --------------- c38e8340-f903-4e63-9624-3dee3241d1f3 |
The result is a GUID of the object who owns it, so a further call to Get-MgUser is required to convert this to a name. For instance:
|
1 2 3 4 |
$appOwners = @(Get-MgApplicationOwner -ApplicationId $appRegObject.Id).Id $ownerNames = if ($appOwners.Count -ne 0) { foreach ($appOwner in $appOwners) { (Get-MgUser -UserId $appOwner).DisplayName } } else { "No Owner Info" } |
Redirect Urls etc.
These can be for Web, Single Page Apps (SPA), and Mobile. 
The corresponding properties for these are called web, spa, and publicClient. The web property gives the redirectUris and also implicitGrantSettings.
The spa and publicClient properties give the redirectUris.