Get-EntraBetaApplication
Gets an application.
Syntax
GetQuery (Default)
Get-EntraBetaApplication
[-Top <Int32>]
[-All]
[-Filter <String>]
[-Property <String[]>]
[<CommonParameters>]
GetByValue
Get-EntraBetaApplication
[-SearchString <String>]
[-All]
[-Property <String[]>]
[<CommonParameters>]
GetById
Get-EntraBetaApplication
-ApplicationId <String>
[-All]
[-Property <String[]>]
[<CommonParameters>]
Description
The Get-EntraBetaApplication cmdlet gets a Microsoft Entra ID application.
Examples
Example 1: Get an application by ApplicationId
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaApplication -ApplicationId 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb'
DisplayName Id AppId SignInAudience PublisherDomain
----------- -- ----- -------------- ---------------
ToGraph_443democc3c aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb bbbbbbbb-1111-2222-3333-cccccccccccc AzureADMyOrg contoso.com
This example demonstrates how to retrieve specific application by providing ID.
Example 2: Get all applications
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaApplication -All
DisplayName Id AppId SignInAudience PublisherDomain
----------- -- ----- -------------- ---------------
test app aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb bbbbbbbb-1111-2222-3333-cccccccccccc AzureADandPersonalMicrosoftAccount contoso.com
ToGraph_443DEM cccccccc-4444-5555-6666-dddddddddddd dddddddd-5555-6666-7777-eeeeeeeeeeee AzureADMyOrg contoso.com
test adms eeeeeeee-6666-7777-8888-ffffffffffff ffffffff-7777-8888-9999-gggggggggggg AzureADandPersonalMicrosoftAccount contoso.com
test adms app azure gggggggg-8888-9999-aaaa-hhhhhhhhhhhh hhhhhhhh-9999-aaaa-bbbb-iiiiiiiiiiii AzureADandPersonalMicrosoftAccount contoso.com
test adms2 iiiiiiii-aaaa-bbbb-cccc-jjjjjjjjjjjj jjjjjjjj-bbbb-cccc-dddd-kkkkkkkkkkkk AzureADandPersonalMicrosoftAccount contoso.com
This example demonstrates how to get all applications from Microsoft Entra ID.
Example 3: Get all applications without owners (ownerless applications)
Connect-Entra -Scopes 'Application.Read.All'
$apps = Get-EntraBetaApplication -All
$appsWithoutOwners = @()
foreach ($app in $apps) {
try {
$owners = Get-EntraBetaApplicationOwner -ApplicationId $app.Id
if (-not $owners) {
$appsWithoutOwners += $app
}
}
catch {
Write-Warning "Failed to check owners for app: $($app.DisplayName)"
}
# Optional: throttle to avoid rate limits (especially in large tenants)
#Start-Sleep -Milliseconds 100
}
$appsWithoutOwners | Select-Object DisplayName, Id, AppId
DisplayName Id AppId
----------- -- -----
Contoso HR App aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb bbbbbbbb-1111-2222-3333-cccccccccccc
Contoso Helpdesk App cccccccc-4444-5555-6666-dddddddddddd dddddddd-5555-6666-7777-eeeeeeeeeeee
Contoso Helpdesk App eeeeeeee-6666-7777-8888-ffffffffffff hhhhhhhh-9999-aaaa-bbbb-iiiiiiiiiiii
This example demonstrates how to get all applications without owners from Microsoft Entra ID.
Example 4: Get applications with expiring secrets in 30 days
$expirationThreshold = (Get-Date).AddDays(30)
$appsWithExpiringPasswords = Get-EntraBetaApplication -All | Where-Object { $_.PasswordCredentials } |
ForEach-Object {
$app = $_
$app.PasswordCredentials | Where-Object { $_.EndDate -le $expirationThreshold } |
ForEach-Object {
[PSCustomObject]@{
DisplayName = $app.DisplayName
AppId = $app.AppId
SecretDisplayName = $_.DisplayName
KeyId = $_.KeyId
ExpiringSecret = $_.EndDate
}
}
}
$appsWithExpiringPasswords | Format-Table DisplayName, AppId, SecretDisplayName, KeyId, ExpiringSecret -AutoSize
DisplayName AppId SecretDisplayName KeyId ExpiringSecret
----------- ----- ----------------- ----- --------------
Helpdesk Application dddddddd-5555-6666-7777-eeeeeeeeeeee Helpdesk Password aaaaaaaa-0b0b-1c1c-2d2d-333333333333 11/18/2024
This example retrieves applications with expiring secrets within 30 days.
Example 5: Get applications with expiring certificates in 30 days
$expirationThreshold = (Get-Date).AddDays(30)
$appsWithExpiringKeys = Get-EntraBetaApplication -All | Where-Object { $_.KeyCredentials } |
ForEach-Object {
$app = $_
$app.KeyCredentials | Where-Object { $_.EndDate -le $expirationThreshold } |
ForEach-Object {
[PSCustomObject]@{
DisplayName = $app.DisplayName
AppId = $app.AppId
CertificateDisplayName = $_.DisplayName
KeyId = $_.KeyId
ExpiringKeys = $_.EndDate
}
}
}
$appsWithExpiringKeys | Format-Table DisplayName, AppId, CertificateDisplayName, KeyId, ExpiringKeys -AutoSize
DisplayName AppId CertificateDisplayName KeyId ExpiringKeys
----------- ----- ---------------------- ----- ------------
Helpdesk Application dddddddd-5555-6666-7777-eeeeeeeeeeee My cert aaaaaaaa-0b0b-1c1c-2d2d-333333333333 6/27/2024 11:49:17 AM
This example retrieves applications with expiring certificates within 30 days.
Example 6: Get an application by display name
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaApplication -Filter "DisplayName eq 'ToGraph_443DEMO'"
DisplayName Id AppId SignInAudience PublisherDomain
----------- -- ----- -------------- ---------------
ToGraph_443DEMO cccccccc-4444-5555-6666-dddddddddddd dddddddd-5555-6666-7777-eeeeeeeeeeee AzureADMyOrg contoso.com
In this example, we retrieve application by its display name from Microsoft Entra ID.
Example 7: Search among retrieved applications
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaApplication -SearchString 'My new application 2'
DisplayName Id AppId SignInAudience PublisherDomain
----------- -- ----- -------------- ---------------
My new application 2 kkkkkkkk-cccc-dddd-eeee-llllllllllll llllllll-dddd-eeee-ffff-mmmmmmmmmmmm AzureADandPersonalMicrosoftAccount contoso.com
This example demonstrates how to retrieve applications for specific string from Microsoft Entra ID.
Example 8: Retrieve an application by identifierUris
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaApplication -Filter "identifierUris/any(uri:uri eq 'https://wingtips.wingtiptoysonline.com')"
This example demonstrates how to retrieve applications by its identifierUris from Microsoft Entra ID.
Example 9: List top 2 applications
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaApplication -Top 2
DisplayName Id AppId SignInAudience PublisherDomain
----------- -- ----- -------------- ---------------
test app aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb bbbbbbbb-1111-2222-3333-cccccccccccc AzureADandPersonalMicrosoftAccount contoso.com
ToGraph_443DEM cccccccc-4444-5555-6666-dddddddddddd dddddddd-5555-6666-7777-eeeeeeeeeeee AzureADMyOrg contoso.com
This example shows how you can retrieve two applications. You can use -Limit as an alias for -Top.
Example 10: List application app roles
Connect-Entra -Scopes 'Application.Read.All'
$application = Get-EntraBetaApplication -SearchString 'Contoso Helpdesk Application'
$application.AppRoles | Format-Table -AutoSize
AllowedMemberTypes Description DisplayName Id IsEnabled Origin Value
------------------ ----------- ----------- -- --------- ------ -----
{User, Application} General All General All gggggggg-6666-7777-8888-hhhhhhhhhhhh True Application Survey.Read
{Application} General App Only General Apponly hhhhhhhh-7777-8888-9999-iiiiiiiiiiii True Application Task.Write
{User} General role General bbbbbbbb-1111-2222-3333-cccccccccccc True Application General
This example shows how you can retrieve app roles for an application.
Example 11: List application oauth2PermissionScopes (delegated permissions exposed by the app)
Connect-Entra -Scopes 'Application.Read.All'
(Get-EntraBetaApplication -Filter "displayName eq 'Contoso Helpdesk Application'").Api.Oauth2PermissionScopes
AdminConsentDescription : Allows the app to read HR data on behalf of users.
AdminConsentDisplayName : Read HR Data
Id : bbbbbbbb-1111-2222-3333-cccccccccccc
IsEnabled : True
Origin :
Type : User
UserConsentDescription : Allows the app to read your HR data.
UserConsentDisplayName : Read your HR data
Value : HR.Read.All
This example shows how you can retrieve oauth2PermissionScopes (i.e., delegated permissions exposed by the app) to a service principal. These scopes are part of the application object.
Example 12: List applications and their secret details
Connect-Entra -Scopes 'Application.Read.All'
Get-EntraBetaApplication -All -Property displayName, appId, passwordCredentials |
Where-Object { $_.PasswordCredentials } |
ForEach-Object {
$app = $_
foreach ($cred in $app.PasswordCredentials) {
[PSCustomObject]@{
DisplayName = $app.DisplayName
AppId = $app.AppId
PasswordCredentialsDisplayName = $cred.DisplayName
PasswordCredentialStartDate = $cred.StartDate
PasswordCredentialEndDate = $cred.EndDate
}
}
} |
Format-Table -AutoSize
DisplayName AppId PasswordCredentialsDisplayName PasswordCredentialStartDate PasswordCredentialEndDate
----------- ----- ------------------------------ --------------------------- -------------------------
Helpdesk Application gggggggg-6666-7777-8888-hhhhhhhhhhhh Helpdesk Application Password 8/20/2024 7:54:25 AM 11/18/2024 7:54:25 AM
Helpdesk Application gggggggg-6666-7777-8888-hhhhhhhhhhhh Helpdesk Application Backend 8/7/2024 4:36:49 PM 2/3/2025 4:36:49 PM
Contoso Automation App bbbbbbbb-1111-2222-3333-cccccccccccc AI automation Cred 5/3/2025 7:03:11 PM 5/3/2026 7:03:11 PM
This example shows how you can retrieve applications that have secrets.
Parameters
-All
List all pages.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ApplicationId
Specifies the ID of an application in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId |
Parameter sets
GetById
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Filter
Specifies an OData v4.0 filter statement. This parameter controls which objects are returned.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
GetQuery
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Property
Specifies properties to be returned
Parameter properties
| Type: | System.String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Select |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-SearchString
Specifies a search string.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
GetVague
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Top
Specifies the maximum number of records to return.
Parameter properties
| Type: | System.Int32 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Limit |
Parameter sets
GetQuery
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.