Get-MgServicePrincipal Cmdlet in Microsoft Graph PowerShell
The Get-MgServicePrincipal cmdlet in Microsoft Graph PowerShell allows administrators to retrieve and manage service principals within their Microsoft 365 tenant. Service principals represent applications and services registered in Entra ID (Azure AD), and this cmdlet provides flexible options to filter, search, and display these entities effectively.
Cmdlet Syntax
Get-MgServicePrincipal [-All] [-ConsistencyLevel <String>] [-CountVariable <String>] [-Filter <String>] [-Search <String>]Usage Examples
- Retrieve All Service Principals
- Retrieve a Specific Service Principal by Display Name
- Retrieve Top 5 Service Principals Starting with 'a'
- Search for Service Principals Containing 'Team' in Display Name
- Get a Service Principal by AppId (Client ID).
- Get Service Principals Created Recently.
Get-MgServicePrincipal
This command retrieves all service principals available in the tenant.
Get-MgServicePrincipal -Filter "DisplayName eq 'Power BI Service'" | Format-List Id, DisplayName, AppId, SignInAudience
This retrieves the service principal for Power BI Service and displays selected properties.
Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount -Filter "startsWith(DisplayName, 'a')" -Top 5
This command fetches the top 5 service principals whose display names start with 'a'.
Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount -Search '"DisplayName:Team"'
This searches for service principals with 'Team' in their display names.
This is one of the most common real-world scenarios โ identifying the Enterprise Application using its Application (Client) ID.
Get-MgServicePrincipal `
-Filter "appId eq '00000003-0000-0000-c000-000000000000'" `
-Property Id,DisplayName,AppId |
Select-Object Id, DisplayName, AppId
Useful when: i) Troubleshooting OAuth issues, ii) Identifying Microsoft-built apps (e.g., Microsoft Graph), iii) Mapping App Registration โ Enterprise Application and iv) Uses server-side filtering (efficient and scalable)
This is helpful for auditing newly added Enterprise Applications.
Get-MgServicePrincipal `
-Filter "createdDateTime ge $Date" `
-Property Id,DisplayName,AppId,CreatedDateTime |
Select-Object DisplayName, AppId, CreatedDateTime
Cmdlet Tips
- Always use -ConsistencyLevel eventual when using -Filter or -Search with -Count.
- Use -All to retrieve all service principals without paging.
- Pipe results to Format-Table or Format-List for better readability.
Use Cases
- Auditing:: Retrieve all service principals to review what applications have access to your Microsoft 365 environment, ensuring proper permissions are maintained.
- Filtering: Search for specific service principals based on names or other attributes, helping administrators quickly find and manage application identities.
- Counting: Count service principals for reporting or management, useful for understanding the scope of applications registered.
- Properties Retrieval: Display detailed information such as IDs, AppIds, and sign-in details to ensure each application is correctly configured and secured.
Possible Errors & Solutions
| Error Message | Cause | Solution |
| Request_UnsupportedQuery | Unsupported query syntax in - Filter or -Search. | Ensure the correct property names and supported query operators. |
| InvalidAuthenticationToken | Expired or invalid authentication token. | Re-authenticate using Connect-MgGraph. |
| ResourceNotFound | The service principal does not exist. | Verify the display name or AppId |
FAQs
- What is a service principal?
A service principal is an identity created in Entra ID (Azure AD) to represent an application or service. It allows applications to access resources securely without user credentials. - How can Get-MgServicePrincipal be useful?
This cmdlet helps administrators list, filter, and manage application identities, ensuring they have correct access, monitoring them for security, and troubleshooting permission issues. - Can I use wildcards with -Filter in Get-MgServicePrincipal?
No, use functions like startswith or endswith instead. - Is -All mandatory for large datasets in Get-MgServicePrincipal?
Yes, if you need to retrieve all entries without default paging. - What permissions are required for Get-MgServicePrincipal?
Directory.Read.All or similar delegated/app permissions.
PublisherNameMany Microsoft 365 workloads (like Teams, Exchange Online, etc.) register as service principals with the publisher name set to "Microsoft Services".
Use this property to isolate trusted, built-in Microsoft apps from third-party or custom enterprise apps.
AppId to Match Against Enterprise ApplicationsWhen investigating app usage or sign-in activity, cross-reference the
AppId from sign-in logs with the AppId of service principals.This helps identify which enterprise application was usedโeven if the display name is ambiguous or duplicated.
Conclusion
The Get-MgServicePrincipal cmdlet is essential for managing service principals in Microsoft 365. By mastering its usage, you can efficiently audit, filter, and retrieve service principal details for your tenant. Always ensure proper permissions and use -ConsistencyLevel eventual for advanced filtering and searching.
If You Prefer the Graph API Way
The /servicePrincipals Graph API endpoint allows you to list, filter, and search Azure AD service principal objects. Below are examples that replicate common Get-MgServicePrincipal use cases using direct API calls.
- Retrieve All Service Principals
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals"
$response = Invoke-MgGraphRequest -Method GET -Uri $uri
foreach ($sp in $response.value) {
Write-Output "Display Name: $($sp.displayName)"
Write-Output "App ID : $($sp.appId)"
Write-Output "Object ID : $($sp.id)"
Write-Output "`n"
}
โ
Equivalent to: Get-MgServicePrincipal
Required Permissions
Youโll need one of the following Microsoft Graph permissions:
- Delegated:
Directory.Read.All - Application:
Directory.Read.All