Https- Graph.microsoft.com V1.0 Applications May 2026

$cert = New-SelfSignedCertificate -Subject "CN=Automation" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec KeyExchange -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 $base64Cert = [System.Convert]::ToBase64String($cert.RawData)

But $expand on passwordCredentials or keyCredentials is . Avoid it unless necessary. Instead, fetch apps first (no expand), then batch request credentials:

"requests": [ "id": "1", "method": "GET", "url": "/applications/id/passwordCredentials" , "id": "2", "method": "GET", "url": "/applications/id/keyCredentials" ] https- graph.microsoft.com v1.0 applications

But that’s not the same as a ( /servicePrincipals ), which is the instance of that app in a specific tenant.

In this post, we’ll tear down the endpoint, explore its hidden properties, look at real-world automation patterns, and cover the security pitfalls that even seasoned admins miss. Before writing code, we need to clear up a massive source of confusion. In this post, we’ll tear down the endpoint,

After creation, you need to create a service principal for that app to appear in "Enterprise applications":

"appId": "<the appId from above>"

If you're building a production automation that must last years, stick with /v1.0 . For one-off governance scripts or advanced scenarios, /beta is fine. Find all multi-tenant apps (anyone can consent) that have high-privilege permissions and no owner assigned (security risk):