Application management in Microsoft Entra ID revolves around tracking application registrations and enterprise applications that define how different services integrate with the directory. For IT admins, tracking these applications, along with their permissions, owners, and usage, can quickly get complicated, especially when multiple applications are registered across a tenant. Distinguishing between application objects and service principals, spotting unused or orphaned applications, and staying on top of security requirements adds to the challenge. But there are ways to reduce the hurdles of managing them at scale.
Connect-MgGraph -Scopes "Application.Read.All"
Get-MgApplication
Get-MgApplication -Filter "DisplayName eq 'AppName'"
Example query
Connect-MgGraph -Scopes "Application.Read.All"
Get-MgApplication -Filter "DisplayName eq 'TestApp'"
Example output:
Id: 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9
AppId: 3d627de3-6f45-4e73-a589-81f3821fc56b
DisplayName: TestApp
SignInAudience: EntraIDMyOrg
PublisherDomain: testdomain.com
CreatedDateTime: 9/20/2025 6:13:45 PM
Web: @{HomePageUrl=https://testapp.com}
Api: @{RequestedAccessTokenVersion=2}
The syntax is as follows:
Get-MgApplication
[-ExpandProperty <string[]>]
[-Property <string[]>]
[-Filter <string>]
[-Search <string>]
[-Skip <int>]
[-Sort <string[]>]
[-Top <int>]
[-ConsistencyLevel <string>]
[-ResponseHeadersVariable <string>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-PageSize <int>]
[-All]
[-CountVariable <string>]
[<CommonParameters>]
Example query:
Get-MgApplication -Filter "DisplayName eq 'YourApp'"
Example output
Id: 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9
AppId: 3d627de3-6f45-4e73-a589-81f3821fc56b
DisplayName: YourApp
SignInAudience: EntraIDMyOrg
PublisherDomain: testdomain.com
CreatedDateTime: 9/20/2025 6:13:45 PM
Web: @{HomePageUrl=https://testapp.com}
Api: @{RequestedAccessTokenVersion=2}
The output shows an application in Microsoft Entra ID called YourApp. It was created on Sept. 20, 2025 and is tied to the verified publisher domain testdomain.com. The application carries a unique Id, along with an AppId (client ID) that other services use when authenticating against it. Its SignInAudience is set to EntraIDMyOrg, which means only users from this tenant can sign in. Under the Web property, the application points to its homepage at https://testapp.com. The Api configuration notes that it expects version 2 access tokens when calling its APIs. Altogether, these settings define how Testapplication is registered in Microsoft Entra ID and how it interacts with both users and other services.
ADManager Plus helps Microsoft 365 admins with a clean, intuitive interface that makes everyday Microsoft 365 tasks simpler.
Generate reports on overall sign-in activity across Microsoft 365 to see how users interact with its applications, along with access to more than 200 other prebuilt reports. Spot suspicious logins, inactive usage, or unusual patterns that may point to risk.
Automatically provision user accounts with the right group memberships from day one. Event-driven automation ensures users gain or lose access to applications and groups immediately when their status changes, keeping access aligned with business rules.
Distribute everyday Microsoft 365 tasks with role-based access controls, ensuring responsibilities are shared without compromising security.
Monitor license usage and identify unused or underused licenses, reclaim them, and optimize costs across your tenant.
Run scheduled access reviews of groups that govern application access. Identify stale memberships and remove unnecessary privileges to minimize exposure and strengthen least-privilege policies.
Keep track of all applications connected to Microsoft Entra ID to stay aware of what's in your environment. Regular reviews help uncover shadow IT or unsanctioned applications, making sure no risky integrations slip through.
Check application permissions and owners on a regular basis to ensure each application has only the access it truly needs. Review both active and idle applications to prevent privilege creep and cut down on unnecessary exposure.
Spot applications that are inactive, orphaned, or outdated and retire them. This reduces your attack surface, closes unnecessary entry points, and prevents lingering access to sensitive data.
In the Microsoft Entra admin center, under Application registrations, select your application and look at the Overview page for the Application (client) ID.
Or, use this Microsoft Graph PowerShell script:
Get-MgApplication | Select DisplayName, AppId
Run this in Microsoft Graph PowerShell:
Get-MgApplication | Where-Object { $_.RequiredResourceAccess.ResourceAppId -eq "<targetAppId>" }
This lists applications requesting API permissions to the target.
Search applications registrations in Microsoft Graph PowerShell with this script:
Get-MgApplication | Where-Object { $_.RequiredResourceAccess.ResourceAccess -match "<PermissionId>" }
You can also filter by permissions in the Microsoft Entra admin center.
In Microsoft Graph PowerShell, run:
Get-MgApplication -ApplicationId <AppId> | Select DisplayName, AppId
Or search for the application name directly in application registrations in the Microsoft Entra admin center.