App registration in Microsoft Entra ID gives your custom apps and integrations secure access to company resources. As you add more apps, you'll need to track what's registered, what permissions they have, and how consent works. There are some easy methods to register applications in Microsoft Entra ID.
Connect-MgGraph -Scopes "Application.ReadWrite.All"
New-MgApplication -DisplayName "AppName"
New-MgApplication -DisplayName "AppName" -Web @{ RedirectUris = @("https://localhost") }
Get-MgApplication -Filter "DisplayName eq 'AppName'"
Example query:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"
# Register a new application
New-MgApplication -DisplayName "Test HR App" `
-Description "HR management portal for internal employees" `
-SignInAudience "AzureADMyOrg"
Example output:
Id: 3a4c5e8d-912f-4c9f-a3d2-bfa20a2c1d7a
AppId: 72d8b3c4-5f2a-4b93-9b4a-91e45a3df0f6
DisplayName: Test HR App
PublisherDomain: contoso.com
SignInAudience: AzureADMyOrg
CreatedDateTime: 10/22/2025 11:40:22
Api:
RequestedAccessTokenVersion: 2
The syntax is as follows:
New-MgApplication
[-ResponseHeadersVariable <string>]
[-AddIns <IMicrosoftGraphAddIn[]>]
[-AdditionalProperties <hashtable>]
[-Api <IMicrosoftGraphApiApplication>]
[-AppId <string>]
[-AppManagementPolicies <IMicrosoftGraphAppManagementPolicy[]>]
[-AppRoles <IMicrosoftGraphAppRole[]>]
[-ApplicationTemplateId <string>]
[-AuthenticationBehaviors <IMicrosoftGraphAuthenticationBehaviors>]
[-Certification <IMicrosoftGraphCertification>]
[-CreatedDateTime <datetime>]
[-CreatedOnBehalfOf <IMicrosoftGraphDirectoryObject>]
[-DefaultRedirectUri <string>]
[-DeletedDateTime <datetime>]
[-Description <string>]
[-DisabledByMicrosoftStatus <string>]
[-DisplayName <string>]
[-ExtensionProperties <IMicrosoftGraphExtensionProperty[]>]
[-FederatedIdentityCredentials <IMicrosoftGraphFederatedIdentityCredential[]>]
[-GroupMembershipClaims <string>]
[-HomeRealmDiscoveryPolicies <IMicrosoftGraphHomeRealmDiscoveryPolicy[]>]
[-Id <string>]
[-IdentifierUris <string[]>]
[-Info <IMicrosoftGraphInformationalUrl>]
[-IsDeviceOnlyAuthSupported]
[-IsFallbackPublicClient]
[-KeyCredentials <IMicrosoftGraphKeyCredential[]>]
[-LogoInputFile <string>]
[-NativeAuthenticationApisEnabled <string>]
[-Notes <string>]
[-Oauth2RequirePostResponse]
[-OptionalClaims <IMicrosoftGraphOptionalClaims>]
[-Owners <IMicrosoftGraphDirectoryObject[]>]
[-ParentalControlSettings <IMicrosoftGraphParentalControlSettings>]
[-PasswordCredentials <IMicrosoftGraphPasswordCredential[]>]
[-PublicClient <IMicrosoftGraphPublicClientApplication>]
[-PublisherDomain <string>]
[-RequestSignatureVerification <IMicrosoftGraphRequestSignatureVerification>]
[-RequiredResourceAccess <IMicrosoftGraphRequiredResourceAccess[]>]
[-SamlMetadataUrl <string>]
[-ServiceManagementReference <string>]
[-ServicePrincipalLockConfiguration <IMicrosoftGraphServicePrincipalLockConfiguration>]
[-SignInAudience <string>]
[-Spa <IMicrosoftGraphSpaApplication>]
[-Synchronization <IMicrosoftGraphSynchronization>]
[-Tags <string[]>]
[-TokenEncryptionKeyId <string>]
[-TokenIssuancePolicies <IMicrosoftGraphTokenIssuancePolicy[]>]
[-TokenLifetimePolicies <IMicrosoftGraphTokenLifetimePolicy[]>]
[-UniqueName <string>]
[-VerifiedPublisher <IMicrosoftGraphVerifiedPublisher>]
[-Web <IMicrosoftGraphWebApplication>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Example query:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"
# Create a new app registration using the Microsoft Graph API call
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/applications" -Body @{
displayName = "Test HR App"
description = "HR management portal for internal employees"
signInAudience = "AzureADMyOrg"
}
Example output:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
"id": "3a4c5e8d-912f-4c9f-a3d2-bfa20a2c1d7a",
"appId": "72d8b3c4-5f2a-4b93-9b4a-91e45a3df0f6",
"displayName": "Test HR App",
"signInAudience": "AzureADMyOrg",
"publisherDomain": "contoso.com",
"createdDateTime": "2025-10-22T11:40:22Z"
}
The Test HR App application has been successfully registered through the Microsoft Graph API. It shares the same identifiers (AppId: 72d8b3c4-5f2a-4b93-9b4a-91e45a3df0f6 and Id: 3a4c5e8d-912f-4c9f-a3d2-bfa20a2c1d7a) and is now visible under App Registrations in the Microsoft Entra admin center. This confirms that the PowerShell Graph API approach mirrors the portal registration process, offering full automation capabilities for administrators.
ADManager Plus helps Microsoft 365 admins manage users, groups, and access efficiently through a centralized interface.
Create and modify users and groups individually or in bulk. Ensure the right people have access to the right resources without leaving orphaned accounts or unused groups.
Quickly update multiple groups at once, change memberships, adjust settings, or reorganize groups to match evolving business needs.
Access over 200 prebuilt reports, including group memberships, license usage, and user activity. Gain full visibility to support audits, track access patterns, and identify anomalies.
Regularly conduct access reviews. Identify unnecessary privileges, remove outdated memberships, and maintain least-privilege access across your tenant.
Use role-based delegation to assign day-to-day admin tasks safely. Empower teams to manage groups and users while maintaining oversight and control.
Automate repetitive tasks like user provisioning, group updates, and license management. Reduce manual effort and ensure processes are consistent and timely.
Right after registration, go to API permissions to add the scopes your app needs, such as Microsoft Graph User.Read or any custom API permissions. If the app requires organization-wide access, request admin consent to grant those permissions.
By default, new app registrations aren't visible to users. When the app is ready for use, enable visibility under Enterprise applications > Properties > Visible to users? to make it accessible. This helps keep test or development apps hidden until they're production-ready.
Determine early on whether your app will be a public client (no client secret, like mobile or desktop apps) or a confidential client (uses certificates or secrets for secure communication). Confidential apps need stricter handling of credentials and proper key management.
You can include key credentials such as certificates when creating an application with the New-MgApplication cmdlet by specifying the -KeyCredentials parameter along with an array of key credential objects. These credentials define authentication certificates or keys associated with the app. This allows you to securely configure the app's identity during creation.
Example snippet:
Make sure your certificate data is encoded correctly and matches Microsoft Graph requirements.
New-MgApplication -DisplayName "MyApp" -KeyCredentials @(@{type="AsymmetricX509Cert"; usage="Verify"; key="<certificate-bytes>"})
Extension properties are custom attributes added to an application for extra metadata or configuration. You use the -ExtensionProperties parameter with an array of extension property objects to include these during application creation.
These properties are helpful for storing organization-specific tags or flags directly on the app object. They assist with custom automation or filtering.
Example:
New-MgApplication -DisplayName "MyApp" -ExtensionProperties @(@{Name="customFlag"; DataType="String"; TargetObjects=@("Application")})
Password credentials are client secrets that the application uses to authenticate. To add passwords at creation, use the -PasswordCredentials parameter with an array of password credential objects. You define properties such as StartDateTime, EndDateTime, and SecretText (the plaintext secret).
Note that secrets are shown only during creation. Store it immediately.
$pwd = @{StartDateTime = (Get-Date); EndDateTime = (Get-Date).AddYears(1); SecretText = "YourSecretValue"}
New-MgApplication -DisplayName "MyApp" -PasswordCredentials @($pwd)
Use the -RequiredResourceAccess parameter to specify API permissions your application requires. This parameter expects an array of resource access objects indicating which APIs and delegated or application permissions the app needs.
Example:
$requiredResourceAccess = @{
ResourceAppId = "00000003-0000-0000-c000-000000000000"; # Microsoft Graph
ResourceAccess = @(@{Id = "5778995d-ea1b-4c96-8554-4c13b5c7a61a"; Type = "Scope"})
}
New-MgApplication -DisplayName "AppWithPermissions" -RequiredResourceAccess $requiredResourceAccess