Https- Graph.microsoft.com V1.0 Applications Direct

| Feature | /v1.0 | /beta | |---------|---------|---------| | Federated identity credentials (workload identity federation) | ❌ | ✅ | | App role assignment conditions | ❌ | ✅ | | serviceManagementReference | ❌ | ✅ | | uniqueName (human-readable app identifier) | ❌ | ✅ |

If you're building a production automation that must last years, stick with /v1.0 . For one-off governance scripts or advanced scenarios, /beta is fine. Find all multi-tenant apps (anyone can consent) that have high-privilege permissions and no owner assigned (security risk):

$body = @ displayName = "CI/CD Automation App" signInAudience = "AzureADMyOrg" keyCredentials = @( @ type = "AsymmetricX509Cert" usage = "Verify" key = $base64Cert startDateTime = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ") endDateTime = (Get-Date).AddYears(1).ToString("yyyy-MM-ddTHH:mm:ssZ") https- graph.microsoft.com v1.0 applications

Invoke-RestMethod -Method Post -Uri "https://graph.microsoft.com/v1.0/applications" -Headers $authHeader -Body $body -ContentType "application/json"

But that’s not the same as a ( /servicePrincipals ), which is the instance of that app in a specific tenant. | Feature | /v1

"appId": "<the appId from above>"

Have you hit any weird edge cases with /applications ? Found an undocumented field? Let me know—I'm collecting them for a follow-up post. "appId": "&lt;the appId from above&gt;" Have you hit

If you manage identity in Microsoft 365, you’ve probably spent countless hours in the Azure AD portal clicking through "App registrations." But behind every click is a REST API call.

$cert = New-SelfSignedCertificate -Subject "CN=Automation" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec KeyExchange -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 $base64Cert = [System.Convert]::ToBase64String($cert.RawData)