M365 PowerShell

Using Update-MgApplication in Graph PowerShell

This guide explains how to use the Update-MgApplication cmdlet in Microsoft Graph PowerShell to modify Azure AD application properties. Learn how to update settings such as display name, and API permissions with practical examples.

In the Microsoft 365 environment, managing applications through automation is crucial for efficiency and scalability. The Update-MgApplication cmdlet in Graph PowerShell is designed to update properties of existing applications in your Azure AD. This guide covers prerequisites, cmdlet syntax, usage examples, cmdlet tips, possible errors and solutions, and use cases of the cmdlet.

Prerequisites

Before using the Update-MgApplication cmdlet, ensure the following prerequisites are met:

Microsoft Graph PowerShell Module: Install the Microsoft Graph PowerShell module if not already installed. You can do this using the command:

Install-Module Microsoft.Graph -Scope CurrentUser

Admin Permissions: Ensure you have sufficient permissions to update applications in Azure AD. Typically, you need the Application.ReadWrite.All permission.
Authentication: Authenticate to Microsoft Graph using:

Connect-MgGraph -Scopes "Application.ReadWrite.All"

Cmdlet Syntax

Update-MgApplication -ApplicationId <String> [-AddKey <IMicrosoftGraphPasswordCredential>] [-DisplayName <String>] [-AppRoles <IMicrosoftGraphAppRole[]>] [-GroupMembershipClaims <String>] [-RequiredResourceAccess <IMicrosoftGraphRequiredResourceAccess[]>] [<CommonParameters>]

Usage Examples

Example 1: Update Application Display Name

$applicationId = "your-application-id"
$updatedDisplayName = "New Application Name"

Update-MgApplication -ApplicationId $applicationId -DisplayName $updatedDisplayName

Example 2: Add Application Role

$applicationId = "your-application-id"
$appRole = @{
    Id = (New-Guid).Guid
    AllowedMemberTypes = @("User")
    DisplayName = "New Role"
    IsEnabled = $true
    Description = "Description of the new role"
    Value = "new.role"
}

Update-MgApplication -ApplicationId $applicationId -AppRoles @($appRole)

Example 3: Update Required Resource Access

$applicationId = "your-application-id"
$resourceAccess = @{
    ResourceAppId = "00000003-0000-0000-c000-000000000000"
    ResourceAccess = @(
        @{
            Id = "57739978-127b-4163-a178-8f5bb15a0ac3"
            Type = "Scope"
        }
    )
}

Update-MgApplication -ApplicationId $applicationId -RequiredResourceAccess @($resourceAccess)

Cmdlet Tips

Use Get-MgApplication: Before updating an application, retrieve its current properties using Get-MgApplication to understand its existing configuration.

Get-MgApplication -ApplicationId $applicationId

JSON Conversion: For complex properties, convert JSON strings to PowerShell objects.

$jsonString = '{"ResourceAppId":"00000003-0000-0000-c000-000000000000","ResourceAccess":[{"Id":"57739978-127b-4163-a178-8f5bb15a0ac3","Type":"Scope"}]}'
$requiredResourceAccess = $jsonString | ConvertFrom-Json
Update-MgApplication -ApplicationId $applicationId -RequiredResourceAccess @($requiredResourceAccess)

Check Permissions: Ensure the necessary API permissions are granted to your account.

Possible Errors & Solutions

Error: Insufficient Privileges

Solution: Ensure your account has the Application.ReadWrite.All permission and that you've consented to this permission scope.

Error: Invalid Application ID

Solution: Verify the application ID and ensure it exists in your directory.

Get-MgApplication -ApplicationId $applicationId

Error: Property Not Allowed

Solution: Double-check the property names and their values. Some properties may be read-only or have specific formats.

Use Cases

Updating Application Permissions After a Security Audit:

Scenario: During a security audit, administrators may discover that certain applications have been granted excessive permissions, potentially exposing sensitive data.
Implementation: Use Update-MgApplication to modify the application’s permissions, reducing access to only the necessary data and APIs.
Benefit: Helps maintain a secure environment by ensuring that applications are granted the least-privileged access necessary for their operation, reducing the risk of unauthorized data access.

Modifying Application Settings After Organizational Changes:

Scenario: When an organization undergoes restructuring or changes in business processes, application settings may need to be updated to reflect new requirements, such as changing redirect URIs or application descriptions.
Implementation: Use Update-MgApplication to update application properties like ReplyUrls, AppRoles, or Tags to align with the organization’s current needs.
Benefit: Ensures that application settings remain relevant to the organization’s evolving structure, improving application management and reducing administrative overhead.

Renewing Client Secrets or Certificates for an Application:

Scenario: Applications often use client secrets or certificates for authentication, which must be periodically renewed to maintain functionality.
Implementation: Use Update-MgApplication to update an application’s client secret or certificate details when the existing credentials are close to expiration.
Benefit: : Ensures continuous operation of the application by renewing credentials before they expire, preventing service disruptions and improving security by regularly rotating credentials.

Transferring Application Ownership:

Scenario: When an application owner leaves the organization or transitions to a different role, the ownership of the application needs to be transferred to another responsible user.
Implementation: Use Update-MgApplication to update the application’s Owners property, ensuring that the application has an active and accountable owner at all times.
Benefit: Prevents "orphaned" applications by ensuring each app has a designated owner responsible for its maintenance and security, promoting better application lifecycle management.

Frequently Asked Questions

1. What is Update-MgApplication used for?

Update-MgApplication is a Microsoft Graph PowerShell cmdlet used to update properties of Azure AD applications, such as their display name, redirect URIs, or permissions.

2. What permissions are required to use Update-MgApplication?

You need the Application.ReadWrite.All permission in Microsoft Graph PowerShell. Ensure these permissions are granted in Azure AD.

Conclusion

The Update-MgApplication cmdlet is a powerful tool for managing and updating applications in Azure AD. By understanding its prerequisites, syntax, usage examples, and tips, you can effectively automate application management tasks. Keep in mind possible errors and their solutions to troubleshoot issues efficiently. Utilizing this cmdlet enhances your capability to maintain a secure and well-managed application environment.

For further details, read the official Microsoft Documentation for the cmdlet.

Using Get-MgDirectoryRole in Graph PowerShell
Using Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell