Updating applications in Microsoft Entra ID ensures that your application's permissions, features, and configuration stay aligned with organizational needs and security standards. For IT admins, tracking changes to required permissions or modifying access policies can become complex as applications evolve. Fortunately, there are direct and efficient ways to review, manage, and update your application.
Connect-MgGraph
Get-MgApplication -SearchString "YourApp"
Use the ObjectId of the application to modify properties such as display name, homepage URL, or reply URLs.
Update-MgApplication -ObjectId "<ObjectId>" -DisplayName "UpdatedAppName" -Homepage "https://updatedapp.com"
Example query:
Get-MgADApplication -SearchString "TestApp"
Update-MgApplication -ObjectId "8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9" -DisplayName "TestAppUpdated" -Homepage "https://testappupdated.com"
Example output:
No direct output is shown. Run Get-MgADApplication -ObjectId "<ObjectId>" again to confirm the updated values.
The syntax is as follows:
Update-MgApplication
-ApplicationId <string>
[-ResponseHeadersVariable <string>]
[-AddIns <IMicrosoftGraphAddIn[]>]
[-AdditionalProperties ]
[-Api <IMicrosoftGraphApiApplication>]
[-AppId <string>]
[-AppManagementPolicies <IMicrosoftGraphAppManagementPolicy[]>]
[-AppRoles <IMicrosoftGraphAppRole[]>]
[-ApplicationTemplateId <string>]
[-AuthenticationBehaviors <IMicrosoftGraphAuthenticationBehaviors>]
[-Certification <IMicrosoftGraphCertification>]
[-CreatedDateTime ]
[-CreatedOnBehalfOf <IMicrosoftGraphDirectoryObject>]
[-DefaultRedirectUri <string>]
[-DeletedDateTime ]
[-Description <string>]
[-DisabledByMicrosoftStatus <string>]
[-DisplayName <string>]
[-ExtensionProperties <IMicrosoftGraphExtensionProperty[]>]
[-FederatedIdentityCredentials <IMicrosoftGraphFederatedIdentityCredential[]>]
[-GroupMembershipClaims <string>]
[-HomeRealmDiscoveryPolicies <IMicrosoftGraphHomeRealmDiscoveryPolicy[]>]
[-Id <string>]
[-IdentifierUris <string[]>]
[-Info <IMicrosoftGraphInformationalUrl>]
[-IsDeviceOnlyAuthSupported]
[-IsFallbackPublicClient]
[-KeyCredentials <IMicrosoftGraphKeyCredential[]>]
[-LogoInputFile <string>]
[-NativeAuthenticationApisEnabled <string>]
[-Notes <string>]
[-Oauth2RequirePostResponse]
[-OptionalClaims <IMicrosoftGraphOptionalClaims>]
[-Owners <IMicrosoftGraphDirectoryObject[]>]
[-ParentalControlSettings <IMicrosoftGraphParentalControlSettings>]
[-PasswordCredentials <IMicrosoftGraphPasswordCredential[]>]
[-PublicClient <IMicrosoftGraphPublicClientApplication>]
[-PublisherDomain <string>]
[-RequestSignatureVerification <IMicrosoftGraphRequestSignatureVerification>]
[-RequiredResourceAccess <IMicrosoftGraphRequiredResourceAccess[]>]
[-SamlMetadataUrl <string>]
[-ServiceManagementReference <string>]
[-ServicePrincipalLockConfiguration <IMicrosoftGraphServicePrincipalLockConfiguration>]
[-SignInAudience <string>]
[-Spa <IMicrosoftGraphSpaApplication>]
[-Synchronization <IMicrosoftGraphSynchronization>]
[-Tags <string[]>]
[-TokenEncryptionKeyId <string>]
[-TokenIssuancePolicies <IMicrosoftGraphTokenIssuancePolicy[]>]
[-TokenLifetimePolicies <IMicrosoftGraphTokenLifetimePolicy[]>]
[-UniqueName <string>]
[-VerifiedPublisher <IMicrosoftGraphVerifiedPublisher>]
[-Web <IMicrosoftGraphWebApplication>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Example query:
Get the application details first.
$app = Get-MgApplication -Filter "DisplayName eq 'TestApp'"
Update the display name and homepage URL.
Update-MgApplication -ApplicationId $app.Id `
-DisplayName "TestAppUpdated" `
-Web @{ HomePageUrl = "https://testappupdated.com" }
Example output:
Id: 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9
AppId: 3d627de3-6f45-4e73-a589-81f3821fc56b
DisplayName: TestAppUpdated
SignInAudience: EntraIDMyOrg
PublisherDomain: testdomain.com
CreatedDateTime: 9/20/2025 6:13:45 PM
Web: @{HomePageUrl=https://testappupdated.com}
Api: @{RequestedAccessTokenVersion=2}
The application TestApp was successfully updated in Microsoft Entra ID. Its display name is now TestAppUpdated, and the homepage URL points to https://testappupdated.com. The app keeps its original unique Id and AppId, which are used for authentication, and it remains restricted to users in the tenant with the EntraIDMyOrg sign-in audience. It's still tied to the verified publisher domain testdomain.com and configured to use version 2 access tokens. In short, the update reflects the new branding while preserving the app's identity and core access settings.
ADManager Plus offers Microsoft 365 administrators a clean and user-friendly interface that makes everyday tasks simpler and more efficient.
Generate detailed reports on overall sign-in activity across Microsoft 365 to understand how users interact with applications. With over 200 prebuilt reports available, you can easily detect suspicious logins, inactive accounts, or unusual behavior that may indicate risk.
Automatically provision user accounts with the correct group memberships from day one. Event-driven automation ensures immediate updates to app and group access based on changes in user status, keeping access aligned with business policies.
Distribute routine Microsoft 365 tasks safely using role-based access control, allowing responsibilities to be shared without compromising security.
Modify multiple groups effortlessly by adjusting memberships, settings, or reorganizing groups to keep up with dynamic business requirements.
Conduct scheduled access reviews to evaluate group memberships governing application access. Identify and remove stale memberships or unnecessary privileges to reduce risk and enforce least-privilege access.
Before pushing updates to production, test any changes in a controlled environment to avoid service interruptions or unexpected user impact.
Before updating an application, verify the list of your organization's verified and federated domains. This ensures your application's authentication and federation configurations align with tenant settings and identity management policies.
Monitor your organizational subscriptions and license allocations. Updating applications may affect license usage, so ensure your tenant has sufficient licenses to support new or changed application features.
Combine application updates with identity governance practices such as access reviews and lifecycle management workflows to maintain a secure and compliant identity environment.
You can update desktop applications in Microsoft Entra ID using the Microsoft Entra admin center or PowerShell.
Using the Microsoft Entra admin center:
Using Microsoft Graph PowerShell:
Example to update redirect URIs:
Update-MgApplication -ApplicationId <YourAppId> -Web @{RedirectUris=@("https://newredirecturi.com")}
You can edit a custom application in Microsoft Entra ID using the Microsoft Entra admin center or Microsoft Graph PowerShell.
Using the Microsoft Entra admin center:
Using Microsoft Graph PowerShell:
Update-MgApplication -ApplicationId <AppId> -Api @{RequiredResourceAccess = <UpdatedPermissions>}
You can update application certificates in Microsoft Entra ID using the Microsoft Entra admin center or PowerShell.
Using the Microsoft Entra admin center:
Using Microsoft Graph PowerShell:
Update-MgApplication -ApplicationId <AppId> -PasswordCredentials @(
@{
CustomKeyIdentifier = [System.Text.Encoding]::UTF8.GetBytes("<CertificateIdentifier>")
StartDateTime = "<Start_Date>"
EndDateTime = "<End_Date>"
KeyId = "<Key_Id>"
Type = "AsymmetricX509Cert"
DisplayName = "<Certificate_DisplayName>"
}
)
You can update an application's API permissions using the Microsoft Entra admin center or PowerShell.
Using the Microsoft Entra admin center:
Using Microsoft Graph PowerShell:
Update-MgApplication -ApplicationId <AppId> -RequiredResourceAccess @(
@{
ResourceAppId = "<API_Resource_AppId>";
ResourceAccess = @(
@{
Id = "<Permission_Id>";
Type = "Scope"; # or "Role"
}
)
}
)
Ensure admin consent is granted after permission updates.