Https- Graph.microsoft.com V1.0 Applications Apr 2026

This reduces throttling risk and improves predictability. The /v1.0 endpoint is stable and production-safe. But missing features:

| Limit | Value | |-------|-------| | Requests per 10 seconds per app | 2,000 | | Requests per 10 seconds per tenant | 5,000 | | Max $top | 999 |

But that’s not the same as a ( /servicePrincipals ), which is the instance of that app in a specific tenant.

Query for apps with unused delegated permissions: https- graph.microsoft.com v1.0 applications

If you manage identity in Microsoft 365, you’ve probably spent countless hours in the Azure AD portal clicking through "App registrations." But behind every click is a REST API call.

Whether you're automating app lifecycle, building an internal governance tool, or hunting for security misconfigurations, this endpoint is your scalpel. Use it with precision, respect its throttling limits, and always—always—validate the signInAudience before you deploy.

$body = @ displayName = "CI/CD Automation App" signInAudience = "AzureADMyOrg" keyCredentials = @( @ type = "AsymmetricX509Cert" usage = "Verify" key = $base64Cert startDateTime = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ") endDateTime = (Get-Date).AddYears(1).ToString("yyyy-MM-ddTHH:mm:ssZ") This reduces throttling risk and improves predictability

Have you hit any weird edge cases with /applications ? Found an undocumented field? Let me know—I'm collecting them for a follow-up post.

But $expand on passwordCredentials or keyCredentials is . Avoid it unless necessary. Instead, fetch apps first (no expand), then batch request credentials:

GET /applications?$filter=signInAudience eq 'AzureADMultipleOrgs'&$expand=owners($top=1),requiredResourceAccess If the response has an empty owners list, any admin in any tenant could theoretically modify the app's consent permissions. That's a red flag for supply chain risk. The /v1.0/applications endpoint looks simple on the surface—just CRUD on app registrations. But its real power comes from understanding the expansion properties, credential types, and the subtle boundary between application and service principal. Query for apps with unused delegated permissions: If

After creation, you need to create a service principal for that app to appear in "Enterprise applications":

In Microsoft Graph, an ( /applications ) is the global, multi-tenant definition of an app—its logo, requested permissions, redirect URIs, and certs/secrets.