Using New-MgApplication in Graph PowerShell

Prerequisites

• Microsoft Graph PowerShell Module: Ensure you have the Microsoft Graph PowerShell module installed. You can install it using the following command:

  Install-Module Microsoft.Graph -Scope CurrentUser

• Permissions: You need the appropriate permissions to execute the New-MgApplication cmdlet. The required Graph API permission is: Application.ReadWrite.All

Cmdlet Syntax

The syntax for the New-MgApplication cmdlet is as follows:

New-MgApplication -DisplayName <String>

Usage Examples

Example 1: Create a Basic Application

New-MgApplication -DisplayName "My New App"

This command creates a new application with the display name "My New App".

Example 2: Create an Application with Required Resource Access

$requiredResourceAccess = @{
ResourceAppId = "00000003-0000-0000-c000-000000000000"
ResourceAccess = @(
@{ Id = "5778995d-ea1b-4c96-8554-4c13b5c7a61a"; Type = "Scope" }
)
}

New-MgApplication -DisplayName "App with API Permissions" -RequiredResourceAccess $requiredResourceAccess

This command creates an application with specified API permissions. The ResourceAppId is the ID of the resource application, and the ResourceAccess specifies the permissions required. In the example, resource (ResourceAppId) is Microsoft Graph API and ResourceAccess is the ID of the permission scope needed for the app to access Graph API.

Example 3: Create a Web App Registration with Redirect URI

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$params = @{
    DisplayName = "M365Corner Web App"
    SignInAudience = "AzureADMyOrg"
    Web = @{
      RedirectUris = @(
         "https://m365corner.com/auth/callback"
      )
      HomePageUrl = "https://m365corner.com"
     }
}

$App = New-MgApplication -BodyParameter $params

$App | Select-Object DisplayName, AppId, Id, SignInAudience

What this script does

This script creates a new single-tenant web application registration in Microsoft Entra ID and configures a redirect URI. Redirect URIs are important for web apps that use Microsoft identity platform authentication.

Why this example is useful

This is useful when administrators or developers need to quickly register internal web apps, admin portals, reporting dashboards, or automation tools that require Microsoft 365 sign-in.

Example 4: Create an Application with Microsoft Graph API Permissions

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$params = @{
    DisplayName = "M365Corner Reporting App"
    SignInAudience = "AzureADMyOrg"

    RequiredResourceAccess = @(
       @{
          ResourceAppId = "00000003-0000-0000-c000-000000000000"
          ResourceAccess = @(
          @{
             Id = "df021288-bdef-4463-88db-98f22de89214"
             Type = "Role"
            }
           @{
              Id = "7ab1d382-f21e-4acd-a863-ba3e13f7da61"
              Type = "Role"
            }
        )
        }
        )
    }

$App = New-MgApplication -BodyParameter $params

$App | Select-Object DisplayName, AppId, Id

What this script does

This script creates a new app registration and adds Microsoft Graph application permissions to it.

Why this example is useful

This is valuable for automation and reporting apps that need to read Microsoft 365 user and directory data without relying on a signed-in user.

In this example: User.Read.All and Directory.Read.All (Application Permissions) are with Permission IDs df021288-bdef-4463-88db-98f22de89214 and 7ab1d382-f21e-4acd-a863-ba3e13f7da61 are assigned to the app.

Note: This only adds the requested API permissions to the app registration. An administrator still needs to grant admin consent before the app can use these application permissions.

Using Get-MgApplication to check for created applications

You can execute Get-MgApplication cmdlet to check for the newly created applications.

Cmdlet Tips

• Use Descriptive Display Names: Always use a descriptive display name for your applications to easily identify them later.
• Manage Credentials Securely: Avoid hardcoding passwords. Use secure methods to manage credentials such as Azure Key Vault.
• Define Required Resource Access Properly: Ensure the ResourceAppId and ResourceAccess are correctly specified to grant the necessary permissions to your application.

Use Cases

• Automated Application Deployment: Automate the creation of applications during the deployment process to ensure consistency and save time.
• Bulk Application Creation: Create multiple applications programmatically for large environments or for testing purposes.
• Consistent Configuration: Ensure applications are created with consistent configurations by using predefined templates or scripts.

Possible Errors & Solutions

Error: Insufficient Privileges

Issue: Insufficient privileges to complete the operation.

Solution: Ensure you have the necessary permissions to create applications in Azure AD. You may need to be an Azure AD admin or have appropriate role assignments.

Error: Invalid Identifier URIs

Issue: The identifierUris property is invalid.

Solution: Verify that the URIs specified in the -IdentifierUris parameter are valid and unique within the directory.

Error: Required Resource Access Not Found

Issue: The resource access ID is not valid.

Solution: Check the ResourceAppId and ResourceAccess parameters to ensure they are correct and the specified resource exists.

Frequently Asked Questions

1. What is New-MgApplication used for?

New-MgApplication is a Microsoft Graph PowerShell cmdlet used to create Azure AD applications. These applications are often required for integrating with Microsoft 365 services or other systems.

2. What permissions are required to create Azure AD applications?

You need the Application.ReadWrite.All permission in Microsoft Graph PowerShell. Ensure appropriate permissions are granted in Azure AD.

3. What’s the difference between New-MgApplication and creating an app via the Azure Portal?

Both methods achieve the same outcome — registering an application in Azure AD.

• The Azure Portal provides a GUI-based experience, suitable for one-time manual registrations.
• New-MgApplication allows you to automate app creation, which is ideal for bulk operations, CI/CD pipelines, or scripting repeatable deployments.

Using Graph PowerShell is especially useful for DevOps teams, automated testing, or deploying multiple app instances with predefined settings.

4. Can I assign permissions or secrets while creating the app using New-MgApplication?

Yes, you can pass permissions and secrets during creation by including them in the -BodyParameter hashtable. However, in practice, many admins choose to:

• First use New-MgApplication to create the base app.
• Then use Add-MgServicePrincipal, Add-MgApplicationPassword, or Update-MgApplication to assign permissions or add credentials post-creation.

This modular approach provides better clarity and separates responsibilities like app identity creation, permission management, and credential provisioning.

Create New Application Using Microsoft Entra Admin Center (formerly Azure AD Admin Center)

1. Login into Microsoft 365 Admin Center
2. Select Identity (Microsoft Entra Admin Center) from Admin Centers

3. Select Identity >> Applications >> App Registrations

4. Enter the app details like the app name, who can use the app, redirect URI and click register.

Conclusion

The New-MgApplication cmdlet is a versatile and powerful tool for creating applications in Azure AD. By understanding its syntax, usage, and potential pitfalls, you can leverage this cmdlet to automate and streamline application management in your environment. Whether you're deploying a single application or managing a large-scale Azure AD setup, New-MgApplication provides the functionality needed to achieve your goals efficiently.

For more detailed information and examples, refer to the official Microsoft documentation: New-MgApplication

If You Prefer the Graph API Way

Note: Application objects (app registrations) can be created using the /applications endpoint. You can start with a minimal payload or include advanced configurations like required permissions via requiredResourceAccess.

1. Create a Basic Application

# Define minimal app payload
$appPayload = @{
displayName = "My New App"
}

# Create application
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/applications" -Body ($appPayload | ConvertTo-Json -Depth 10)
                        

✅ Equivalent to:
New-MgApplication -DisplayName "My New App"

This creates an app registration with default values — without API permissions or redirect URIs.

2. Create an Application with Required Resource Access (API Permissions)

# Define payload with Microsoft Graph API permissions
$appPayload = @{
displayName = "App with API Permissions"
requiredResourceAccess = @(
@{
    resourceAppId = "00000003-0000-0000-c000-000000000000"  # Microsoft Graph
    resourceAccess = @(
        @{
            id   = "5778995d-ea1b-4c96-8554-4c13b5c7a61a"   # e.g., User.Read.All
            type = "Scope"  # or "Role" for app-only permissions
        }
    )
}
)
}

# Send request to create the application
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/applications" -Body ($appPayload | ConvertTo-Json -Depth 10)

You can retrieve all available Graph permission IDs using:
https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'

🔁 This mirrors:
$requiredResourceAccess = @{
ResourceAppId = "00000003-0000-0000-c000-000000000000"
ResourceAccess = @(
@{ Id = "..."; Type = "Scope" }
)
}
New-MgApplication -DisplayName "..." -RequiredResourceAccess $requiredResourceAccess

Required Permissions

You must have Application.ReadWrite.All or Directory.ReadWrite.All permissions (admin consent required) to create applications.

Graph API Documentation

👉 POST /applications - Microsoft Graph v1.0

Related Articles: