Get-MgServicePrincipal – Comprehensive Guide

Service principals are at the heart of how apps authenticate and access resources in Microsoft Entra ID (Azure AD). If you manage Microsoft 365 or Entra, you’ll bump into them constantly—Enterprise Applications, managed identities, app registrations that have been consented in your tenant… all of those show up as service principals. This guide walks you through the Get-MgServicePrincipal cmdlet in Microsoft Graph PowerShell with practical, admin-friendly examples.

What is Get-MgServicePrincipal?

Get-MgServicePrincipal is a Microsoft Graph PowerShell cmdlet from the Microsoft.Graph.Applications module. It retrieves properties and relationships of servicePrincipal objects from your tenant. In Entra terms, a service principal is the “tenant-local” representation of an application (either Microsoft, third-party SaaS, or your own app registration).

The cmdlet supports:

• Listing service principals
• Getting a specific service principal by ID
• Filtering or searching by display name or other properties
• Paging, selecting properties, and advanced queries

Why use Get-MgServicePrincipal?

Here’s why admins rely on this cmdlet:

1. Inventory Enterprise Apps
   Quickly list all apps that exist in the tenant, including Microsoft-built-in apps and third-party integrations.
2. Audit App Access & Configuration
   Retrieve AppId, publisher, sign-in audience, tags, SSO mode, etc., before reviewing permissions and risk.
3. Investigate Security Incidents
   When something suspicious happens, you often need to identify which service principal performed actions.
4. Automation & Reporting
   Combine Get-MgServicePrincipal with other cmdlets (owners, app role assignments, sign-in logs) to build complete app governance reports.

How to Use Get-MgServicePrincipal?

1. Install / Import the module

Install-Module Microsoft.Graph.Applications -Scope CurrentUser
Import-Module Microsoft.Graph.Applications

2. Connect to Microsoft Graph

You need appropriate permissions. For read-only operations, Application.Read.All is typically enough.

Connect-MgGraph -Scopes "Application.Read.All"

3. Basic syntax

List all

Get-MgServicePrincipal

Get by ID

Get-MgServicePrincipal -ServicePrincipalId <ServicePrincipalId>

List with query options

Get-MgServicePrincipal -Filter <ODataFilter> -Top <n> -Property <props>

The cmdlet supports standard OData parameters like -Filter, -Search, -Top, -Sort, -Skip, -All, -Property, and -ExpandProperty.

Important: Some queries (like -Search or advanced $filter + count) require -ConsistencyLevel eventual and -CountVariable.

Get-MgServicePrincipal Usage Examples

Below are the same practical examples you asked for, with a bit of context.

• Retrieve All Service Principals

Get-MgServicePrincipal

This returns every service principal in the directory (paged). Use -All if you want everything without manual paging.

• Retrieve Specific Service Principal by ID

Get-MgServicePrincipal -ServicePrincipalId 015993cd-d59a-4f62-a76b-72fa58ed36e3

Use this when you already know the object ID (ServicePrincipalId) from Entra or logs.

• Retrieve a Specific Service Principal by Display Name

Get-MgServicePrincipal -Filter "DisplayName eq 'Power BI Service'" | Format-List Id, DisplayName, AppId, SignInAudience

This is the cleanest way to find one known app by name. -Filter uses OData syntax.

• Retrieve Top 5 Service Principals Starting with 'a'

Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount -Filter "startsWith(DisplayName, 'a')" -Top 5

startsWith() is an advanced query, so you must include:

• -ConsistencyLevel eventual
• -Count (as -CountVariable spCount)
• Search for Service Principals Containing 'Team' in Display Name

Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount -Search '"DisplayName:Team"'

Notes:

• -Search requires quotes inside quotes, exactly like above what's in Graph examples.
• Advanced query rules apply here too.

Get-MgServicePrincipal Cmdlet Best Practices

Here are the field-tested tips I’d recommend for M365Corner readers:

1. Always use least-privilege permissions

For read-only reporting:

Connect-MgGraph -Scopes "Application.Read.All"

Only elevate to write permissions (like Application.ReadWrite.All) when needed.

2. Use -Property to speed up large queries

Instead of pulling everything:

Get-MgServicePrincipal -All

Limit properties:

Get-MgServicePrincipal -All -Property Id,DisplayName,AppId,PublisherName

This reduces payload, speeds execution, and is friendlier for exports.

3. Prefer -All for full tenant inventory

By default, Graph returns paged results. If your goal is a full report, use:

Get-MgServicePrincipal -All

4. For advanced filters/search, don’t forget ConsistencyLevel + Count

If you see errors like “Request_UnsupportedQuery” or missing results for advanced queries, add:

-ConsistencyLevel eventual -CountVariable spCount

This applies to many directory object advanced queries.

5. Use stable keys when possible

Display names can change. If you want a stable lookup, use:

• Service principal object ID (-ServicePrincipalId)
• App ID via Get-MgServicePrincipalByAppId when you know the AppId

Example:

Get-MgServicePrincipalByAppId -AppId "60dbf324-9702-41cc-a5fa-f8d19804b014"

6. Export carefully for governance reports

Typical export pattern:

Get-MgServicePrincipal -All -Property Id,DisplayName,AppId,PublisherName,AccountEnabled | Select-Object Id,DisplayName,AppId,PublisherName,AccountEnabled | Export-Csv "ServicePrincipals.csv" -NoTypeInformation

Conclusion

Get-MgServicePrincipal is a must-know cmdlet for any Microsoft 365 or Entra admin. Whether you’re auditing Enterprise Applications, troubleshooting SSO, reviewing risky apps, or building tenant-wide app inventories, this cmdlet gives you the core dataset to start from.

Use -Filter, -Search, and -Top for targeted queries, and remember the advanced query rule: ConsistencyLevel eventual + CountVariable whenever you’re doing search or complex filters. With these patterns, you can turn service principal management into clean, repeatable automation.