編集

次の方法で共有


Manage apps

Your app needs to be registered in Microsoft Entra ID before the Microsoft identity platform can authorize it to access data stored in Microsoft Entra or Microsoft 365 tenants. This condition applies to apps that you develop yourself, that your tenant owns, or that you access through an active subscription.

Many settings for apps are recorded as objects that can be accessed, updated, or deleted using Microsoft Entra PowerShell. In this article, you learn how to use Microsoft Entra PowerShell to manage app and service principal objects.

Prerequisites

To manage apps with Microsoft Entra PowerShell, you need:

Register an application

The following request creates an app by specifying only the required displayName property.

Connect-Entra -Scopes 'Application.ReadWrite.All'
New-EntraApplication -DisplayName 'My new application'

DisplayName        Id                                   AppId                                SignInAudience PublisherDomain
-----------        --                                   -----                                -------------- -----------
My new application aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb bbbbbbbb-1111-2222-3333-cccccccccccc MyOrg

The application is assigned an ID that's unique for apps in the tenant, and an appId that's globally unique in the Microsoft Entra ecosystem.

Create a service principal for an application

Connect-Entra -Scopes 'Application.ReadWrite.All'
$myApp=(Get-EntraApplication -Filter "DisplayName eq 'My new application'")
New-EntraServicePrincipal  -AppId $myApp.AppId 
DisplayName Id       AppId                                SignInAudience                       ServicePrincipalType
----------- --       -----                                --------------                       --------------------
My new application   bbbbbbbb-1111-2222-3333-cccccccccccc 00001111-aaaa-2222-bbbb-3333cccc4444 MyOrg Application

Configure basic properties for your app

You can configure multiple properties for your app. The following example shows how to update the display name of an application.

$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$parameters = @{
    ApplicationId = $application.Id
    DisplayName   = 'Contoso application'
}
Set-EntraApplication @parameters

The following example shows how to update the sign out url of an application:

Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$appParams = @{
    ApplicationId = $application.Id
    LogoutUrl = 'https://contoso.com/Security/ADFS.aspx/logout'
}
Set-EntraApplication @appParams

For more information, see Set-EntraApplication.

Limit app sign-in to only assigned identities

Limiting app sign-ins to only assigned identities using Microsoft Entra PowerShell ensures that only authorized users can access your applications, thereby enhancing security and control.

Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$servicePrincipalParams = @{
    ServicePrincipalId = $application.Id
    AppRoleAssignmentRequired = $True
}
Set-EntraServicePrincipal @servicePrincipalParams

Assign permissions to an app

You assign permissions to an app through the Microsoft Entra admin center or by using Microsoft Entra PowerShell. In PowerShell, you update the app's requiredResourceAccess property, including both existing and new permissions. If you only pass in new permissions, it removes any existing permissions that haven't been consented to.

Assigning permissions doesn't automatically grant them to the app. You must still grant admin consent using the Microsoft Entra admin center.

Connect-Entra -Scopes 'Application.ReadWrite.All'
$application = Get-EntraApplication -Filter "DisplayName eq 'My new application'"
$requiredResourceAccess = @(
  @{resourceAppId = '00000003-0000-0000-c000-000000000000'
      resourceAccess = @(
           @{
                 id = 'c79f8feb-a9db-4090-85f9-90d820caa0eb'
                 type = 'Scope'
             }
         @{
                id = '9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30'
                type = 'Role'
           } )})
Set-EntraApplication -ApplicationId $application.Id -RequiredResourceAccess $requiredResourceAccess 

Manage owners

Retrieve the owner of a service principal

Connect-Entra -Scopes 'Application.ReadWrite.All'
$servicePrincipalId = (Get-EntraServicePrincipal -Top 1).Id
Get-EntraServicePrincipalOwner -ServicePrincipalId $servicePrincipalId

Assign an owner to a service principal

Connect-Entra -Scopes 'Application.ReadWrite.All'
$servicePrincipalId = (Get-EntraServicePrincipal -Top 1).Id
$ownerId = (Get-EntraUser -Top 1).Id

$params = @{
    ServicePrincipalId = $servicePrincipalId
    RefObjectId = $ownerId
}
Add-EntraServicePrincipalOwner @params

This example shows how to add an owner to a service principal.

  • -ServicePrincipalId - specifies the unique identifier (ObjectId) of the service principal to which you want to add an owner.
  • -RefObjectId - specifies the unique identifier (ObjectId) of the user or group that you want to add as an owner of the specified service principal.

Get a list of all applications without user assignment

To get a list of all applications that don't require user assignment, use the following command.

Connect-Entra -Scopes 'Application.ReadWrite.All'
Get-EntraServicePrincipal -All | Where-Object {$_.appRoleAssignmentRequired -ne 'True'}
DisplayName                          Id                                     AppId                                  SignInAudience       ServicePrincipalType
-----------------------------------  -----------------------------------    ---------------------------------      -----------------    ------------------
Microsoft password reset service     00aa00aa-bb11-cc22-dd33-44ee44ee44ee   93625bc8-bfe2-437a-97e0-3d0060024faa   AzureADMultipleOrgs  Application
Microsoft.Azure.SyncFabric           11bb11bb-cc22-dd33-ee44-55ff55ff55ff   00000014-0000-0000-c000-000000000000   AzureADMultipleOrgs  Application
Azure Security Insights              22cc22cc-dd33-ee44-ff55-66aa66aa66aa   98785600-1bb7-4fb9-b9fa-19afe2c8a360   AzureADMultipleOrgs  Application