Service principals in Microsoft Entra ID define how apps and automation tools access organizational resources. As the organization grows and changes, admins need clear visibility into available update actions, required permissions, and configuration options.
Fortunately, there are easy and reliable ways to review and update them in Microsoft Entra ID.
Connect-MgGraph -Scopes "Application.ReadWrite.All"
Get-MgServicePrincipal
Update-MgServicePrincipal -ServicePrincipalId <Id> -DisplayName "NewDisplayName"
Example query
Connect-MgGraph -Scopes "Application.ReadWrite.All"
Update-MgServicePrincipal -ServicePrincipalId "72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e" `
-DisplayName "Updated-ServicePrincipal-Name"
Example output:
Id: 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e
AppId: 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9
DisplayName: Updated-ServicePrincipal-Name
AccountEnabled: True
AppOwnerOrganizationId: 5d1a3b6c-4f8e-42d2-8d3a-9a7b1b4e8f00
ServicePrincipalType: Application
SignInAudience: AzureADMyOrg
CreatedDateTime: 9/25/2025 10:14:27
The syntax is as follows:
Update-MgServicePrincipal
-ServicePrincipalId <string>
[-ResponseHeadersVariable <string>]
[-AccountEnabled]
[-AddIns <IMicrosoftGraphAddIn[]>]
[-AdditionalProperties <hashtable>]
[-AlternativeNames <string[]>]
[-AppDescription <string>]
[-AppDisplayName <string>]
[-AppId <string>]
[-AppManagementPolicies <IMicrosoftGraphAppManagementPolicy[]>]
[-AppOwnerOrganizationId <string>]
[-AppRoleAssignedTo <IMicrosoftGraphAppRoleAssignment[]>]
[-AppRoleAssignmentRequired]
[-AppRoleAssignments <IMicrosoftGraphAppRoleAssignment[]>]
[-AppRoles <IMicrosoftGraphAppRole[]>]
[-ApplicationTemplateId <string>]
[-ClaimsMappingPolicies <IMicrosoftGraphClaimsMappingPolicy[]>]
[-CreatedObjects <IMicrosoftGraphDirectoryObject[]>]
[-CustomSecurityAttributes <hashtable>]
[-DelegatedPermissionClassifications <IMicrosoftGraphDelegatedPermissionClassification[]>]
[-DeletedDateTime <datetime>]
[-Description <string>]
[-DisabledByMicrosoftStatus <string>]
[-DisplayName <string>]
[-Endpoints <IMicrosoftGraphEndpoint[]>]
[-FederatedIdentityCredentials <IMicrosoftGraphFederatedIdentityCredential[]>]
[-HomeRealmDiscoveryPolicies <IMicrosoftGraphHomeRealmDiscoveryPolicy[]>]
[-Homepage <string>]
[-Id <string>]
[-Info <IMicrosoftGraphInformationalUrl>]
[-KeyCredentials <IMicrosoftGraphKeyCredential[]>]
[-LoginUrl <string>]
[-LogoutUrl <string>]
[-MemberOf <IMicrosoftGraphDirectoryObject[]>]
[-Notes <string>]
[-NotificationEmailAddresses <string[]>]
[-Oauth2PermissionGrants <IMicrosoftGraphOAuth2PermissionGrant[]>]
[-Oauth2PermissionScopes <IMicrosoftGraphPermissionScope[]>]
[-OwnedObjects <IMicrosoftGraphDirectoryObject[]>]
[-Owners <IMicrosoftGraphDirectoryObject[]>]
[-PasswordCredentials <IMicrosoftGraphPasswordCredential[]>]
[-PreferredSingleSignOnMode <string>]
[-PreferredTokenSigningKeyThumbprint <string>]
[-RemoteDesktopSecurityConfiguration <IMicrosoftGraphRemoteDesktopSecurityConfiguration>]
[-ReplyUrls <string[]>]
[-ResourceSpecificApplicationPermissions <IMicrosoftGraphResourceSpecificPermission[]>]
[-SamlSingleSignOnSettings <IMicrosoftGraphSamlSingleSignOnSettings>]
[-ServicePrincipalNames <string[]>]
[-ServicePrincipalType <string>]
[-SignInAudience <string>]
[-Synchronization <IMicrosoftGraphSynchronization>]
[-Tags <string[]>]
[-TokenEncryptionKeyId <string>]
[-TokenIssuancePolicies <IMicrosoftGraphTokenIssuancePolicy[]>]
[-TokenLifetimePolicies <IMicrosoftGraphTokenLifetimePolicy[]>]
[-TransitiveMemberOf <IMicrosoftGraphDirectoryObject[]>]
[-VerifiedPublisher <IMicrosoftGraphVerifiedPublisher>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Example query:
Connect-MgGraph -Scopes "Application.ReadWrite.All"
Update-MgServicePrincipal -ServicePrincipalId "72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e" `
-DisplayName "HR-App-SP"
Example output
Id: 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e
AppId: 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9
DisplayName: HR-App-SP
AccountEnabled: True
AppOwnerOrganizationId: 5d1a3b6c-4f8e-42d2-8d3a-9a7b1b4e8f00
ServicePrincipalType: Application
SignInAudience: AzureADMyOrg
CreatedDateTime: 10/22/2025 11:10:34
The service principal HR-App-SP is identified by the unique Id 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e and is linked to the application AppId 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9. It's active (AccountEnabled: True) and belongs to the organization 5d1a3b6c-4f8e-42d2-8d3a-9a7b1b4e8f00. The ServicePrincipalType is set to Application, indicating it represents an app identity within this tenant. The update confirms that the display name has been successfully changed to HR-App-SP.
ADManager Plus makes Microsoft 365 admin work easier with a simple, easy-to-use interface.
Create reports to track user sign-ins and see how people use Microsoft 365 apps. You can also access over 200 ready-made reports to spot unusual logins, inactive accounts, or risky behavior.
Set up new user accounts automatically with the right group memberships from day one. With event-based automation, access is added or removed as soon as a user's status changes, keeping everything up to date.
Assign routine Microsoft 365 admin tasks to others using role-based permissions, so work is shared safely without losing control.
Keep an eye on license usage, find unused or rarely used ones, reclaim them, and cut down on unnecessary costs.
Run regular reviews of group access to apps. Remove inactive users or extra permissions to reduce risk and follow the least-privilege principle.
Keep track of certificate and client secret expiry dates to prevent sudden authentication issues. Set up alerts or follow Microsoft Entra's recommendations to renew credentials ahead of time. Regular key rotation helps minimize downtime and lowers the risk of compromised credentials.
Make sure each service principal only has the access it truly needs. Remove unnecessary or excessive roles to maintain least-privilege access and stay aligned with Zero Trust practices.
Use certificates instead of client secrets whenever you can, as secrets expire faster and pose greater security risks. Leverage the Microsoft Graph servicePrincipalKeyExpiry recommendation to find and rotate credentials that are weak or nearing expiration.
You can update or add key credentials (certificates or secrets) to a service principal using the Add-MgServicePrincipalKey cmdlet from the Microsoft Graph PowerShell module. This requires proof of possession of an existing valid key. When updating with Update-MgServicePrincipal, you typically modify properties like credentials arrays. Adding keys automates rotation for expiring keys. Always ensure you have appropriate permissions (Application.ReadWrite.All or Directory.ReadWrite.All).
Example snippet to add a key credential:
$params = @{
keyCredential = @{
type = "AsymmetricX509Cert";
usage = "Verify";
key = [System.Text.Encoding]::ASCII.GetBytes("<certificate-bytes>")
}
proof = "<proof-token>"
}
Add-MgServicePrincipalKey -ServicePrincipalId <ServicePrincipalId> -BodyParameter $params
Reply URLs are part of the service principal's servicePrincipal object and can be updated by modifying the ServicePrincipal resource. Use the Update-MgServicePrincipal cmdlet to set the ReplyUrls property with the new list of valid redirect URIs.
Update-MgServicePrincipal -ServicePrincipalId <ServicePrincipalId> -ReplyUrls @("https://newapp.redirect.uri")
This error usually means the usage field in your key credential is set to a value Microsoft Graph does not accept. Valid usage values include Sign, Verify, or VerifyEncrypted depending on the key type.
To troubleshoot:
Example of a valid usage field:
Incorrect usage values will block updates and return the invalid property error.
"usage": "Verify"