M365 PowerShell

Get-MgApplication: How to Retrieve and Manage Applications in Microsoft 365

Explore how to use Get-MgApplication cmdlet in Graph PowerShell to retrieve Azure AD applications. Includes examples for filtering by app name, app ID, and more.

The Get-MgApplication cmdlet is part of the Microsoft Graph PowerShell SDK. This cmdlet retrieves information about applications (apps) registered in your Azure Active Directory (Azure AD). Applications in Azure AD include enterprise applications, and custom-developed apps that your organization uses or develops.

Prerequisites

You should install Microsoft Graph PowerShell module by running Install-Module Microsoft.Graph -Scope CurrentUser command.
You should connect to Microsoft Graph PowerShell module by running Connect-MgGraph -Scopes "Application.Read.All".

Basic Syntax

Here’s the basic syntax of the Get-MgApplication: Get-MgApplication [-ExpandProperty <String[]>] [-Property <String[]>] [-Filter <String>] [-Search <String>] [-Skip <Int32>] [-Sort<String[]>] [-Top <Int32>] [-ConsistencyLevel <String>] [-ResponseHeadersVariable <String>] [-Headers <IDictionary>] [-PageSize <Int32>] [-All] [-CountVariable <String>] [-ProgressAction <ActionPreference>] [<CommonParameters> ]

Key Parameters:

-ExpandProperty; Expands related entities inline. For example, you can expand owners of an application.
-Property: Specifies which properties to include in the response.
-Filter: Applies an OData filter to the applications list.
-Search: Searches for items matching a search query.
-Skip: Skips the first n results..
-Sort: Sorts the results based on the specified properties
-Top: Returns only the first n results.
-ConsistencyLevel: Requests the response to have a specific consistency level.
-ResponseHeadersVariable: Stores the response headers in the specified variable..
-Headers: Specifies custom headers for the request.
-PageSize: Specifies the number of results per page..
-All: Retrieves all results, not just the first page.
-CountVariable: Stores the count of matching resources in the specified variable.
-ProgressAction: Specifies the action preference for progress updates.

Get All Applications

This command retrieves all applications registered in Azure AD.

Graph PowerShell command retrieving all applications registered in Azure Active Directory

Get a Specific Application by ID

You can get a specific application's details by passing in its ID.

Graph PowerShell command retrieving details of a specific application by its ID

Get Applications Using Search Parameter

This command gets all the applications whose display name contains "Test" using search parameter.

PowerShell command searching for applications with display names containing 'Test'

Note: This command won't work without -ConsistencyLevel parameter.

Get Applications By Display Name Using Filter Parameter

This command filters for all the applications whose display name starts with "My First" term.

PowerShell command for filtering applications with display names starting with 'My First'

Get Applications By Created Date Using Filter Parameter

This command filters for all the applications created on or after 2023-01-01.

PowerShell command for filtering applications created on or after January 1, 2023

Get Applications Created In The Last 5 Months Using Filter Parameter

This command fetches only those applications that were created in the last 5 months.

PowerShell command retrieving applications created in the last five months

Possible Errors You Might Face

Errors you might face while using Get-MgApplication and how to rectify them:

Error	Cause	Solution
Authentication Error	Exception of type 'Microsoft.Graph.Auth.Exceptions.GraphAuthException' was thrown	This error typically occurs when there is an issue with authentication, such as invalid credentials or expired tokens. Make sure you are authenticated with the correct credentials. You can authenticate using the Connect-MgGraph cmdlet.
Insufficient Permissions: Get-MgApplication	Insufficient privileges to complete the operation.	his error occurs when the authenticated user does not have the necessary permissions to access the application information. Assign the required permissions to the authenticated user. Ensure the user has the Application.Read.All permission.
Invalid Filter Syntax	Get-MgApplication: Error parsing OData query.	This error occurs when the filter syntax used in the -Filter parameter is incorrect.Check the OData query syntax and ensure it is correct. Refer to the OData query documentation for proper syntax.
Invalid Property Name	Get-MgApplication: The property 'InvalidProperty' does not exist on type 'Microsoft.Graph.Application'.	This error occurs when you specify a property name that does not exist. Run the following command to check on the properties: # Correct property names example Get-MgApplication -Property displayName,appId
Too Many Requests (Throttling): Get-MgApplication	Too Many Requests. Please try again later.	This error occurs when you have sent too many requests in a short period, and the service is throttling your requests. Implement a retry mechanism with exponential backoff. Wait for a few seconds before retrying the request.

Note: Always refer to Get-MgApplication Microsoft Graph PowerShell Documentation to stay updated about the cmdlet.

Get-MgApplication Cmdlet Usage Tips

By following these tips, you can use the Get-MgApplication cmdlet more efficiently and effectively.

Use Filtering: Limit results with the -Filter parameter.

Select Specific Properties: Specify needed properties with -Property.

Paginate Results: Use -Top and -Skip for large datasets.

Leverage Search: Find specific applications with -Search.

Sort Results: Organize output with -Sort.
Expand Related Entities:Include related entities with -ExpandProperty.
Handle Throttling: Implement retry logic for throttling errors.
Automate with Scripts: Integrate cmdlet into automation tasks..

Use Cases

Auditing and Managing Registered Applications:

Scenario: Organizations often need to audit the registered applications within Azure AD to ensure compliance with security policies and to monitor app usage.
Implementation: Use Get-MgApplication to retrieve all registered applications, checking for necessary security settings, permissions, and app secrets.
Benefit: Provides visibility into all applications registered in the directory, allowing administrators to ensure they meet security standards and identify any potentially risky apps.

Identifying Applications with Expiring Secrets:

Scenario: Applications often have secrets (client secrets or certificates) that expire and must be renewed periodically.
Implementation: Use Get-MgApplication to filter applications based on their secret or certificate expiration dates and generate a report for administrators to review and renew expiring credentials.
Benefit: Prevents disruptions by proactively managing expiring credentials, ensuring that applications continue functioning without interruptions.

Monitoring Permissions and Consent Status:

Scenario: IT admins need to keep track of which applications have been granted permissions (especially delegated or application-level permissions) to ensure they are only accessing necessary data.
Implementation: Use Get-MgApplication to list all applications with their assigned permissions, reviewing whether any apps have excessive permissions or require consent from an administrator.
Benefit: Improves security by ensuring that applications have only the necessary permissions, helping prevent unauthorized access to sensitive data.

Tracking Application Ownership Changes:

Scenario: Ownership of an application may change when an administrator leaves the organization or transitions to a new role.
Implementation: Use Get-MgApplication to find and update application owners, ensuring that a current employee is always responsible for managing the application.
Benefit: Maintains proper application management and accountability, preventing "orphaned" apps that lack a designated owner.

Frequently Asked Questions

What is Get-MgApplication used for?

Get-MgApplication is a Microsoft Graph PowerShell cmdlet used to retrieve application objects from Azure Active Directory. It allows filtering and selecting specific properties of registered applications.

How can I filter applications by display name?

Use the -Filter parameter to retrieve applications with a specific display name. For example: Get-MgApplication -Filter "displayName eq 'MyAppName'"

Can I export the list of applications to a CSV file?

Yes, you can export application details using the following script:


$Applications = Get-MgApplication -All
$Applications | Select-Object Id, DisplayName, AppId | Export-Csv -Path "C:\Path\To\Applications.csv" -NoTypeInformation

🚀 Use -Select to Optimize Response Size

Retrieving all application properties can slow down performance and clutter output. Use the -Property (or -Select) parameter to fetch only essential fields like AppId, DisplayName, and CreatedDateTime.

This is especially useful when working with large numbers of registered apps or building reports.

🔎 Identify Apps Without Owners

Use a combination of Get-MgApplication and Get-MgApplicationOwner to detect applications with no assigned owners.

Orphaned applications can pose governance and security risks — flag them for cleanup or reassignment.

Using New-MgApplication in Graph PowerShell
Using Remove-MgApplication in Graph PowerShell
Using Get-MgApplicationOwner in Graph PowerShell
Using New-MgApplicationOwnerByRef in Graph PowerShell

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.

Permission Required

Example: