Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Get-EntraBetaServicePrincipal
Gets a service principal.
Syntax
GetQuery (Default)
Get-EntraBetaServicePrincipal
[-Top <Int32>]
[-All]
[-Filter <String>]
[-Property <String[]>]
[-AssignmentRequired <Boolean>]
[-ApplicationType <String>]
[<CommonParameters>]
GetVague
Get-EntraBetaServicePrincipal
[-SearchString <String>]
[-All]
[-Property <String[]>]
[-AssignmentRequired <Boolean>]
[-ApplicationType <String>]
[<CommonParameters>]
GetById
Get-EntraBetaServicePrincipal
-ServicePrincipalId <String>
[-All]
[-Property <String[]>]
[<CommonParameters>]
Description
The Get-EntraBetaServicePrincipal cmdlet gets a service principal in Microsoft Entra ID.
Examples
Example 1: Retrieve all service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
ProvisioningPowerBi cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 Application
This example retrieves all service principals from the directory.
Example 2: Retrieve a service principal by ServicePrincipalId
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraBetaServicePrincipal -ServicePrincipalId $servicePrincipal.Id
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
This command retrieves specific service principal.
-ServicePrincipalIdParameter specifies the ID of a service principal.
Example 3: Retrieve all service principals from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -All
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
ProvisioningPowerBi cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 Application
This example retrieves all service principals from the directory.
Example 4: Retrieve top two service principal from the directory
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Top 2
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
Microsoft Device Management Checkin bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 AzureADMultipleOrgs Application
This command retrieves top two service principals from the directory. You can use -Limit as an alias for -Top.
Example 5: Get a service principal by display name
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "DisplayName eq 'Helpdesk Application'"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
This example gets a service principal by its display name.
Example 6: Retrieve a list of all service principal, which has a display name that contains "Helpdesk Application"
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -SearchString 'Helpdesk Application'
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Helpdesk Application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMultipleOrgs Application
This example gets a list of service principal, which has the specified display name.
Example 7: Retrieve all Enterprise apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryIntegratedApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Enterprise App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
Enterprise App2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs Application
This example demonstrates how to retrieve all enterprise apps.
Example 8: Retrieve all App proxy apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "tags/Any(x: x eq 'WindowsAzureActiveDirectoryOnPremApp')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App proxy 1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
App proxy 2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs Application
This example demonstrates how to retrieve all app proxy apps.
Example 9: Retrieve all disabled apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "accountEnabled eq false"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Disabled App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
This example demonstrates how to retrieve all disabled apps.
Example 10: Retrieve all Global Secure Access apps
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -Filter "tags/Any(x: x eq 'PrivateAccessNonWebApplication') or tags/Any(x: x eq 'NetworkAccessManagedApplication')"
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Global secure access app 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
This example demonstrates how to retrieve all Global secure access apps.
Example 11: List all applications without user assignment
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -All | Where-Object {$_.appRoleAssignmentRequired -ne 'true'}
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
App without user assignment 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
This example demonstrates how to retrieve all applications without user assignment.
Example 12: List all SAML application details
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "PreferredSingleSignOnMode eq 'saml'"
$servicePrincipal | Select-Object Id, DisplayName, AccountEnabled, AppId, PreferredSingleSignOnMode, AppRoleAssignmentRequired, SignInAudience, NotificationEmailAddresses, PreferredTokenSigningKeyEndDateTime, PreferredTokenSigningKeyValid, ReplyUrls,LoginUrl, LogoutUrl | Format-Table -AutoSize
Id DisplayName AccountEnabled AppId PreferredSingleSignOnMode AppRoleAssignmentRequired SignInAudience NotificationEmailAddresses
-- ----------- -------------- ----- ------------------------- ------------------------- -------------- --------------
00001111-aaaa-2222-bbbb-3333cccc4444 SAML App True 33334444-dddd-5555-eeee-6666ffff7777 saml True AzureADMyOrg {admin@Contoso}
This example demonstrates how to retrieve all SAML application details.
Example 13: List service principal app roles
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraBetaServicePrincipal -SearchString 'Contoso Helpdesk Application'
$servicePrincipal.AppRoles | Format-Table -AutoSize
AllowedMemberTypes Description DisplayName Id IsEnabled Origin Value
------------------ ----------- ----------- -- --------- ------ -----
{User, Application} General All General All gggggggg-6666-7777-8888-hhhhhhhhhhhh True Application Survey.Read
{Application} General App Only General Apponly hhhhhhhh-7777-8888-9999-iiiiiiiiiiii True Application Task.Write
{User} General role General bbbbbbbb-1111-2222-3333-cccccccccccc True Application General
This example shows how you can retrieve app roles for a service principal.
Example 14: List applications (service principals) outside my tenant
Connect-Entra -Scopes 'Application.Read.All'
$tenantId = Get-EntraContext | Select-Object -ExpandProperty TenantId
$servicePrincipals = Get-EntraBetaServicePrincipal -All -Property AppOwnerOrganizationId, Id, DisplayName, AppId
$externalServicePrincipals = $servicePrincipals | Where-Object { $_.AppOwnerOrganizationId -ne $tenantId }
$externalServicePrincipals | Select-Object DisplayName, Id, AppId, AppOwnerOrganizationId | Format-Table -AutoSize
DisplayName Id AppId AppOwnerOrganizationId
----------- -- ----- ----------------------
Azure MFA StrongAuthenticationService aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 f8cdef31-a31e-4b4a-93e4-5f571e91255a
M365 Label Analytics bbbbbbbb-1111-2222-3333-cccccccccccc 11112222-bbbb-3333-cccc-4444dddd5555 f8cdef31-a31e-4b4a-93e4-5f571e91255a
PowerApps-Advisor cccccccc-2222-3333-4444-dddddddddddd 22223333-cccc-4444-dddd-5555eeee6666 f8cdef31-a31e-4b4a-93e4-5f571e91255a
This example shows how you can retrieve applications (service principals) outside my tenant.
Example 15: Retrieve service principals with user assignment required
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -AssignmentRequired $true
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Restricted App aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMyOrg Application
This example retrieves all service principals where user assignment is required to access the application.
Example 16: Retrieve Enterprise Apps using ApplicationType parameter
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -ApplicationType EnterpriseApps
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Enterprise App1 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 Application
Enterprise App2 11112222-bbbb-3333-cccc-4444dddd5555 22223333-cccc-4444-dddd-5555eeee6666 AzureADMultipleOrgs Application
This example demonstrates how to retrieve all enterprise apps using the ApplicationType parameter. Valid values are: AppProxyApps, EnterpriseApps, ManagedIdentity, MicrosoftApps.
Example 17: Retrieve Managed Identities
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -ApplicationType ManagedIdentity
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
MyVM-Identity 00001111-aaaa-2222-bbbb-3333cccc4444 33334444-dddd-5555-eeee-6666ffff7777 ManagedIdentity
This example retrieves all managed identities.
Example 18: Combine AssignmentRequired and ApplicationType filters
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaServicePrincipal -AssignmentRequired $true -ApplicationType EnterpriseApps
DisplayName Id AppId SignInAudience ServicePrincipalType
----------- -- ----- -------------- --------------------
Secured Enterprise App aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 00001111-aaaa-2222-bbbb-3333cccc4444 AzureADMyOrg Application
This example demonstrates how to combine both AssignmentRequired and ApplicationType parameters to filter enterprise apps that require user assignment.
Parameters
-All
List all pages.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-ApplicationType
Filter by application type. Valid values are:
AppProxyApps: Application proxy applicationsEnterpriseApps: Enterprise applicationsManagedIdentity: Managed identity service principalsMicrosoftApps: Microsoft first-party applications
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-AssignmentRequired
Filter by whether user assignment is required to access the application. When set to $true, returns only service principals where user assignment is required. When set to $false, returns only service principals where user assignment is not required.
Parameter properties
| Type: | System.Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Filter
Specifies an OData v4.0 filter statement. This parameter controls which objects are returned.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Property
Specifies properties to be returned.
Parameter properties
| Type: | System.String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Select |
Parameter sets
-SearchString
Specifies a search string.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-ServicePrincipalId
Specifies the ID of a service principal in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId |
Parameter sets
-Top
Specifies the maximum number of records to return.
Parameter properties
| Type: | System.Int32 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Limit |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Related Links
Feedback
Was this page helpful?