Related features:

Related Powershell Guides:

How to retrieve the properties and relationships of a service principal object using Get-MgServicePrincipal

Retrieving the properties and relationships of a servicePrincipal object

Service principals are security identities that grant applications and services access to Microsoft Entra ID resources, storing key details like application IDs, permissions, roles, and ownership. Admins need to access this information for security, compliance, and access management, during audits, and troubleshooting. While the Graph PowerShell's Get-MgServicePrincipal command, an alternative to the Get-AzureADServicePrincipal command, can be used to retrieve the service principal data, its complexity and non-intuitive interface make it a challenging option.

Retrieve the properties and relationships of a servicePrincipal object using Microsoft Graph PowerShell

Prerequisites

Before using the Get-MgServicePrincipal cmdlet, ensure the following:

  • The Microsoft Graph PowerShell module is installed. If not, install it using this script:
    Install-Module Microsoft.Graph -Scope CurrentUser
  • Connect to Microsoft Graph PowerShell with the following permissions to retrieve the properties and relationships of a service principal object
    Application.Read.All, Directory.ReadWrite.All, Directory.Read.All,
    Application.ReadWrite.OwnedBy, Application.ReadWrite.All,

Using the Get-MgServicePrincipal to retrieve properties and relationships of a service principal object

The Get-MgServicePrincipal cmdlet can be used in Microsoft Graph PowerShell to retrieve the properties and relationships of a service principal object. Here's the syntax:

Get-MgServicePrincipal
[-ExpandProperty <String[]>]
[-Property <String[]>]
[-Filter <String>]
[-Search <String>]
[-Skip <Int32>]
[-Sort <String[]>]
[-Top <Int32>]
[-ConsistencyLevel <String>]
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-PageSize <Int32>]
[-All]
[-CountVariable <String>]
[-ProgressAction <ActionPreference>]
[<CommonParameters>]

Example use cases and scripts using the Get-MgServicePrincipal cmdlet

Example 1: Get all service principals from the directory

Connect-MgGraph -Scopes 'Application.Read.All'
Get-MgServicePrincipal

Example 2: Get the service principal by display name

Connect-MgGraph -Scopes 'Application.Read.All'
Get-MgServicePrincipal -Filter "DisplayName eq 'Power BI Service'" |
Format-List Id, DisplayName, AppId, SignInAudience

Example 3: Get a count of the service principals

Connect-MgGraph -Scopes 'Application.Read.All'
Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount

Example 4: Use -Filter and -Top to get five service principals with a display name that starts with "a" including a count of returned objects

Connect-MgGraph -Scopes 'Application.Read.All'
Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount -Filter "startsWith(DisplayName, 'a')" -Top 5

Example 5: Use -Search to get service principals with display names that contain the letters "Team" including a count of returned objects

Connect-MgGraph -Scopes 'Application.Read.All'
Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount -Search '"DisplayName:Team"'

Supported parameters

The following table contains some parameters that can be used along with the Get-MgServicePrincipal command.

Parameters Description
-CountVariable This parameter specifies a count of the total number of items in a collection.
-Filter This parameter filters items by property values.
-Skip This parameter skips the first n items.
-Sort This parameter sorts items by property values.
-Top This parameter displays only the first n items.

Limitations of using Graph PowerShell scripts to retrieve the properties and relationships of service principal objects

  • Graph PowerShell requires IT admins to upgrade from Azure AD PowerShell and have familiarity with PowerShell scripting.
  • Microsoft Graph enforces API rate limits, which can slow down large queries or cause failures if too many requests are made in a short period.
  • Retrieving nested relationships like service principal role assignments requires multiple API calls and complex script logic.
  • Identifying and troubleshooting errors can be time-consuming and require technical expertise.
  • The lack of an intuitive interface makes the overall experience less user-friendly, particularly for those new to scripting.

Highlights of ADManager Plus

ManageEngine ADManager Plus is an identity governance and administration solution, with comprehensive Microsoft Entra ID management and reporting capabilities, that eliminates the hassle of complex PowerShell scripts. Its intuitive, user-friendly interface enables you to streamline even the most complex administrative tasks in minutes.

  • Provides an easy-to-use interface for managing and reporting on users, eliminating the need for complex PowerShell scripting or Graph API knowledge.
  • Simplify bulk operations through automation capabilities, optimizing large-scale environments, and eliminating the need for complex scripts.
  • Use prebuilt or custom templates to standardize management and reporting tasks.
  • Generate more than 200 prepackaged reports, with options to customize and export them in various formats, like CSV or HTML.
  • Delegate specific management and reporting tasks to technicians without granting them excessive permissions.

No more PowerShell hassles! Manage Microsoft Entra ID effortlessly with ADManager Plus.

Try it now for free
 
  • Retrieve the properties and relationships of a service principal object
  • Retrieve the properties and relationships of a service principal object using Microsoft Graph PowerShell
  • Limitations of using Graph PowerShell scripts to retrieve the properties and relationships of a service principal object
  • Highlights of ADManager Plus
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link