Creating a service principal in Microsoft Entra ID lets applications, scripts, and automation tools securely authenticate and interact with an organization’s resources. When new projects or integrations arise, admins need a straightforward process to provision identities for these non-human accounts with the right permissions and settings.
Connect-MgGraph -Scopes "Application.ReadWrite.All"
Get-MgApplication -Filter "DisplayName eq 'AppName'"
New-MgServicePrincipal -AppId <AppId>
Example query
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"
# Get the AppId of the registered application
$app = Get-MgApplication -Filter "DisplayName eq 'Test Sales App'"
# Create a service principal for the application
New-MgServicePrincipal -AppId $app.AppId
Example output:
Id: 5f8e7d3a-4c2b-4f6d-b1a2-c3d4e5f6a7b8
AppId: 72d8b3c4-5f2a-4b93-9b4a-91e45a3df0f6
DisplayName: Test Sales App
AccountEnabled: True
ServicePrincipalType: Application
SignInAudience: AzureADMyOrg
AppOwnerOrganizationId: 5d1a3b6c-4f8e-42d2-8d3a-9a7b1b4e8f00
CreatedDateTime: 10/22/2025 12:05:48
The syntax is as follows:
New-MgServicePrincipal
[-ResponseHeadersVariable <string>]
[-AccountEnabled]
[-AddIns <IMicrosoftGraphAddIn[]>]
[-AdditionalProperties <hashtable>]
[-AlternativeNames <string[]>]
[-AppDescription <string>]
[-AppDisplayName <string>]
[-AppId <string>]
[-AppManagementPolicies <IMicrosoftGraphAppManagementPolicy[]>]
[-AppOwnerOrganizationId <string>]
[-AppRoleAssignedTo <IMicrosoftGraphAppRoleAssignment[]>]
[-AppRoleAssignmentRequired]
[-AppRoleAssignments <IMicrosoftGraphAppRoleAssignment[]>]
[-AppRoles <IMicrosoftGraphAppRole[]>]
[-ApplicationTemplateId <string>]
[-ClaimsMappingPolicies <IMicrosoftGraphClaimsMappingPolicy[]>]
[-CreatedObjects <IMicrosoftGraphDirectoryObject[]>]
[-CustomSecurityAttributes <hashtable>]
[-DelegatedPermissionClassifications <IMicrosoftGraphDelegatedPermissionClassification[]>]
[-DeletedDateTime <datetime>]
[-Description <string>]
[-DisabledByMicrosoftStatus <string>]
[-DisplayName <string>]
[-Endpoints <IMicrosoftGraphEndpoint[]>]
[-FederatedIdentityCredentials <IMicrosoftGraphFederatedIdentityCredential[]>]
[-HomeRealmDiscoveryPolicies <IMicrosoftGraphHomeRealmDiscoveryPolicy[]>]
[-Homepage <string>]
[-Id <string>]
[-Info <IMicrosoftGraphInformationalUrl>]
[-KeyCredentials <IMicrosoftGraphKeyCredential[]>]
[-LoginUrl <string>]
[-LogoutUrl <string>]
[-MemberOf <IMicrosoftGraphDirectoryObject[]>]
[-Notes <string>]
[-NotificationEmailAddresses <string[]>]
[-Oauth2PermissionGrants <IMicrosoftGraphOAuth2PermissionGrant[]>]
[-Oauth2PermissionScopes <IMicrosoftGraphPermissionScope[]>]
[-OwnedObjects <IMicrosoftGraphDirectoryObject[]>]
[-Owners <IMicrosoftGraphDirectoryObject[]>]
[-PasswordCredentials <IMicrosoftGraphPasswordCredential[]>]
[-PreferredSingleSignOnMode <string>]
[-PreferredTokenSigningKeyThumbprint <string>]
[-RemoteDesktopSecurityConfiguration <IMicrosoftGraphRemoteDesktopSecurityConfiguration>]
[-ReplyUrls <string[]>]
[-ResourceSpecificApplicationPermissions <IMicrosoftGraphResourceSpecificPermission[]>]
[-SamlSingleSignOnSettings <IMicrosoftGraphSamlSingleSignOnSettings>]
[-ServicePrincipalNames <string[]>]
[-ServicePrincipalType <string>]
[-SignInAudience <string>]
[-Synchronization <IMicrosoftGraphSynchronization>]
[-Tags <string[]>]
[-TokenEncryptionKeyId <string>]
[-TokenIssuancePolicies <IMicrosoftGraphTokenIssuancePolicy[]>]
[-TokenLifetimePolicies <IMicrosoftGraphTokenLifetimePolicy[]>]
[-TransitiveMemberOf <IMicrosoftGraphDirectoryObject[]>]
[-VerifiedPublisher <IMicrosoftGraphVerifiedPublisher>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Example query:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"
# Create the service principal via Microsoft Graph API
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/servicePrincipals" -Body @{
appId = "72d8b3c4-5f2a-4b93-9b4a-91e45a3df0f6"
}
Example output
{
"id": "5f8e7d3a-4c2b-4f6d-b1a2-c3d4e5f6a7b8",
"appId": "72d8b3c4-5f2a-4b93-9b4a-91e45a3df0f6",
"displayName": "Test HR App",
"accountEnabled": true,
"servicePrincipalType": "Application",
"signInAudience": "AzureADMyOrg",
"appOwnerOrganizationId": "5d1a3b6c-4f8e-42d2-8d3a-9a7b1b4e8f00",
"createdDateTime": "2025-10-22T12:05:48Z"
}
The service principal Test HR App has been successfully created through Microsoft Graph API. It shares the same identifiers (AppId: 72d8b3c4-5f2a-4b93-9b4a-91e45a3df0f6, Id: 5f8e7d3a-4c2b-4f6d-b1a2-c3d4e5f6a7b8) and is now visible under Enterprise Applications in the Microsoft Entra admin center. This confirms that creating a service principal via the PowerShell Graph API mirrors the portal process, enabling full automation for assigning roles, configuring permissions, and managing access for applications within the tenant.
ADManager Plus offers Microsoft 365 admins a clean, intuitive interface that makes everyday Microsoft 365 tasks simpler.
Create, modify, and manage users, groups, and licenses at scale. Perform bulk updates, assign or revoke licenses, adjust group memberships, and track license usage with ease.
Schedule periodic access reviews of group memberships and privileges to ensure only the right people retain access. Strengthen compliance and maintain least-privilege policies effortlessly.
Cut down routine admin work by automating user provisioning, license assignments, attribute updates, and group management. Configure once and let the system take care of it on schedule.
Assign admin responsibilities with role-based access controls so teams can operate efficiently without compromising security.
Schedule and generate up-to-date reports automatically, and export them in multiple formats to stay audit-ready always.
When setting up your service principal, grant only the roles and scopes it actually needs to access resources. Sticking to the principle of least privilege limits security risks and potential misuse.
Right after creating the credentials—especially client secrets or certificates—copy and store them safely. They can't be viewed again later, so keep them in a secure location for app or automation authentication.
A service principal is tied to its local tenant and differs from the app object. In a multi-tenant setup, each tenant that grants consent or access automatically gets its own service principal.
If your app runs in Azure, use managed identities instead of service principals. They handle authentication without manual credential storage and automatically rotate secrets for better security.
You can specify key credentials such as certificates when creating a new service principal by including the -KeyCredentials parameter with an array of key credential objects. This lets you securely associate certificate keys with the service principal at creation, enabling strong authentication.
Example usage:
Ensure your keys are properly formatted and you have necessary permissions.
$keys = @(@{type = "AsymmetricX509Cert"; usage = "Verify"; key = [System.Convert]::FromBase64String("<base64-cert>")})
New-MgServicePrincipal -AppId "<AppId>" -KeyCredentials $keys
Use the -PasswordCredentials parameter to add client secrets during service principal creation. Provide details like start and end dates and the secret text. Password credentials act as client secrets for authentication.
Example snippet:
Remember to save the secret securely as it cannot be retrieved later.
$pwd = @{StartDateTime = (Get-Date); EndDateTime = (Get-Date).AddYears(1); SecretText = "YourSecretValue"}
New-MgServicePrincipal -AppId "<AppId>" -PasswordCredentials @($pwd)
The -Synchronization parameter allows configuring synchronization settings for service principals where directory sync scenarios apply. This sets up or modifies sync jobs connecting external identities or systems. Details depend on the synchronization schema and settings.
Due to complexity, you often need to provide a synchronization object describing how and when syncing occurs.
Example placeholder:
$synchronization = @{ ... } # Define sync job details
New-MgServicePrincipal -AppId "<AppId>" -Synchronization $synchronization
Assign owners by passing a list of owner references to the -Owners parameter during creation. Owners control permissions and manage the service principal.
Example:
$owners = @(@{Id="<OwnerObjectId>"})
New-MgServicePrincipal -AppId "<AppId>" -Owners $owners
Delegate permissions (OAuth2 permission grants) can be configured through the -Oauth2PermissionGrants or related parameters when creating a service principal. This defines what API scopes the service principal can access on behalf of a user.
Example:
$grants = @(@{ClientId="<ServicePrincipalId>"; ResourceId="<ResourceAppId>"; Scope="User.Read Mail.Read"})
New-MgServicePrincipal -AppId "<AppId>" -Oauth2PermissionGrants $grants