M365 PowerShell

Using New-MgServicePrincipal in Graph PowerShell

The New-MgServicePrincipal cmdlet is a powerful tool in the Microsoft Graph PowerShell module enabling administrators to create new service principals within the Microsoft 365 directory. This article delves into the syntax, usage example, tips, use cases, common errors and solutions relating to the cmdlet.

Prerequisites

Microsoft Graph PowerShell Module: Ensure you have the Microsoft Graph PowerShell module installed. You can install it using:
```
Install-Module Microsoft.Graph -Scope CurrentUser
```
API Permissions: To run the New-MgServicePrincipal cmdlet, the following API permissions are required:
- Application.ReadWrite.All: Allows the app to read and write all applications without a signed-in user.
- Directory.ReadWrite.All: Allows the app to read and write data in your organization's directory, such as users, groups, and apps without a signed-in user.
- Application.ReadWrite.OwnedBy: Allows the app to read and write applications and service principals that it owns without a signed-in user.
Ensure these permissions are granted in the Azure portal.

Cmdlet Syntax

New-MgServicePrincipal -BodyParameter <Object>

Usage Example

Here’s a straightforward example of creating a new service principal using the cmdlet:

$ServicePrincipalID = @{
    "AppId" = "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
}

New-MgServicePrincipal -BodyParameter $ServicePrincipalID | Format-List id DisplayName AppId SignInAudience

This script creates a service principal with the specified AppId and then formats the output to list key properties.

Expected Output:

Id             : ac483a5f-f291-4499-8a62-058547724579
DisplayName    : Example App
AppId          : ffdf268a-2fe2-49e1-8cd7-66ecb61641ec
SignInAudience : AzureADandPersonalMicrosoftAccount

Cmdlet Tips

JSON Body Parameter: The -BodyParameter expects a hash table or JSON object containing the necessary attributes for the service principal. Ensure that the JSON is well-formed.
Permissions: The user running this cmdlet must have appropriate permissions in Azure AD to create service principals.
Property Expansion: Use the Format-List or Select-Object cmdlets to view specific properties of the newly created service principal.

Use Cases

Application Integration: Creating service principals for applications that need to authenticate and access Azure or Microsoft 365 resources.
Automation: Enabling scripts and automation tools to securely access resources without user interaction.
Role Assignment: Assigning specific roles and permissions to applications adhering to the principle of least privilege.

Frequently Asked Questions

Can I create a service principal without first registering an application?

No, a service principal is always tied to an application registration. You must first register the app (or know its AppId) before creating a corresponding service principal using New-MgServicePrincipal.

What’s the difference between AppId and Id in the context of service principals?

AppId refers to the unique ID of the application registration across tenants..
Id (or ObjectId) refers to the unique ID of the service principal object within your specific tenant.When creating a service principal, use AppId, not ObjectId

When should I use New-MgServicePrincipal manually?

You should use it when:

You're working with multi-tenant apps where a service principal doesn’t yet exist in your tenant.
You’re automating provisioning across multiple tenants.
You need fine-grained control over app permissions and assignments via script.

Possible Errors & Solutions

Error	Cause	Solution
Insufficient Permissions	Authorization_RequestDenied	Ensure the user has the necessary Azure AD permissions to create service principals.
Invalid AppId	Request_BadRequest	Verify that the AppId provided in the -BodyParameter is correct and corresponds to a registered application.
Malformed JSON	Invalid request	Check the JSON structure in the -BodyParameter for syntax errors and ensure all required fields are included.

Not All Apps Require Manual Service Principal Creation

If you're registering applications via the Entra admin center or the Graph API, a service principal is typically auto-created in the home tenant. Use New-MgServicePrincipal only when you need to explicitly register a service principal for multi-tenant apps or external apps not yet represented in your directory.

Use AppId, Not ObjectId, When Creating Service Principals

When creating a new service principal using New-MgServicePrincipal, always use the -AppId of the application you want to associate. Using the -AppId ensures tenant-wide uniqueness, while ObjectId applies to a single directory object and is not accepted by this cmdlet.

Conclusion

The New-MgServicePrincipal cmdlet is essential for managing application identities within an Azure AD tenant. By understanding its syntax, usage, and handling common errors, M365 administrators can leverage this cmdlet to enhance security, automate tasks, and integrate applications efficiently.

Using Get-MgDirectoryRole in Graph PowerShell
Using Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell