Https-: Graph.microsoft.com V1.0 Applications
| Limit | Value | |-------|-------| | Requests per 10 seconds per app | 2,000 | | Requests per 10 seconds per tenant | 5,000 | | Max $top | 999 |
GET /applications?$expand=requiredResourceAccess Then compare with actual API calls. If you expose an API ( api.oauth2PermissionScopes ), the default scope user_impersonation is not automatically added. Many developers forget to define it, then wonder why "Sign in & read user profile" doesn't work. 6. Performance & Throttling Realities This endpoint lives under the /v1.0 workload, which has different throttling than /beta .
The endpoint https://graph.microsoft.com/v1.0/applications is the programmatic backbone of application identity management in Entra ID (formerly Azure AD). It’s powerful, subtle, and—if you’re not careful—dangerous.
| Entity | Endpoint | Tenant scope | Analogy | |--------|----------|--------------|---------| | Application | /v1.0/applications | Home tenant only | Blueprint | | Service Principal | /v1.0/servicePrincipals | One per tenant | Built house | https- graph.microsoft.com v1.0 applications
$body = @ displayName = "CI/CD Automation App" signInAudience = "AzureADMyOrg" keyCredentials = @( @ type = "AsymmetricX509Cert" usage = "Verify" key = $base64Cert startDateTime = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ") endDateTime = (Get-Date).AddYears(1).ToString("yyyy-MM-ddTHH:mm:ssZ")
Whether you're automating app lifecycle, building an internal governance tool, or hunting for security misconfigurations, this endpoint is your scalpel. Use it with precision, respect its throttling limits, and always—always—validate the signInAudience before you deploy.
In Microsoft Graph, an ( /applications ) is the global, multi-tenant definition of an app—its logo, requested permissions, redirect URIs, and certs/secrets. | Limit | Value | |-------|-------| | Requests
But $expand on passwordCredentials or keyCredentials is . Avoid it unless necessary. Instead, fetch apps first (no expand), then batch request credentials:
Have you hit any weird edge cases with /applications ? Found an undocumented field? Let me know—I'm collecting them for a follow-up post.
POST /servicePrincipals
But that’s not the same as a ( /servicePrincipals ), which is the instance of that app in a specific tenant.
1. Over-privileged app roles via appRoles You can define custom roles in the appRoles array. The danger: any admin can assign users to those roles without extra approval if the app has been consented. Audit appRoles regularly. 2. Leaking identifierUris If your app uses identifierUris (e.g., api://my-app ), that URI becomes a potential token target. An attacker who can register a conflicting URI in another tenant cannot take over your app—but they can cause token validation confusion if your app incorrectly validates the aud claim. 3. requiredResourceAccess creep Apps can request requiredResourceAccess —permissions they need. Over time, developers add scopes but never remove old ones. Attackers can use orphaned, high-privilege permissions if an app's secret is compromised.
"requests": [ "id": "1", "method": "GET", "url": "/applications/id/passwordCredentials" , "id": "2", "method": "GET", "url": "/applications/id/keyCredentials" ] "requests": [ "id": "1"
"appId": "<the appId from above>"
