Edit

Share via


List servicePrincipals

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Retrieve a list of servicePrincipal objects.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Application.Read.All Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported. Not supported.
Application Application.Read.All Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All

Important

In delegated scenarios with work or school accounts where the signed-in user is acting on another user, they must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.

  • A non-admin member or guest user with default user permissions
  • Application Developer - read properties of service principals they own
  • Directory Readers - read standard properties
  • Global Reader
  • Directory Writers
  • Hybrid Identity Administrator
  • Security Administrator
  • Cloud Application Administrator
  • Application Administrator

Permissions for specific scenarios

  • A service principal can retrieve its own application and service principal details without being granted any application permissions.
  • The Application.ReadWrite.OwnedBy permission allows an app to call GET /applications and GET /servicePrincipals to list all applications and service principals in the tenant. This scope of access has been allowed for the permission.

HTTP request

GET /servicePrincipals

Optional query parameters

This method supports the $count, $expand, $filter, $orderby, $search, $select, and $top OData query parameters to help customize the response. The default and maximum page size is 100 service principal objects. Some queries are supported only when you use the ConsistencyLevel header set to eventual and $count. For more information, see Advanced query capabilities on directory objects.

By default, this API doesn't return the value of the key in the keyCredentials property when listing all service principals. To retrieve the public key info in key, the keyCredentials property must be specified in a $select query. For example, $select=id,appId,keyCredentials.

The use of $select to get keyCredentials for service principals has a throttling limit of 150 requests per minute for every tenant.

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
ConsistencyLevel eventual. This header and $count are required when using $search, or in specific usage of $filter. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Request body

Don't supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and collection of servicePrincipal objects in the response body.

Examples

Example 1: Get a list of service principals

Request

GET https://graph.microsoft.com/beta/servicePrincipals

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "accountEnabled":true,
      "displayName":"amasf",
      "publisherName":"Contoso",
      "servicePrincipalType":"Application",
      "signInAudience":"AzureADMyOrg"
    }
  ]
}

Example 2: Get only a count of service principals

Request

The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $count is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/beta/servicePrincipals/$count
ConsistencyLevel: eventual

Response

The following example shows the response.

HTTP/1.1 200 OK
Content-type: text/plain

893

Example 3: Use $filter and $top to get one service principal with a display name that starts with 'a' including a count of returned objects

Request

The following example shows a request. This request requires the ConsistencyLevel header set to eventual and the $count=true query string because the request has both the $orderby and $filter query parameters. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/beta/servicePrincipals?$filter=startswith(displayName, 'a')&$count=true&$top=1&$orderby=displayName
ConsistencyLevel: eventual

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "@odata.context":"https://graph.microsoft.com/beta/$metadata#servicePrinciples",
  "@odata.count":1,
  "value":[
    {
      "accountEnabled":true,
      "displayName":"a",
      "publisherName":"Contoso",
      "servicePrincipalType":"Application",
      "signInAudience":"AzureADMyOrg"
    }
  ]
}

Example 4: Use $search to get service principals with display names that contain the letters 'Team' including a count of returned objects

Request

The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $search and the $count=true query string is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/beta/servicePrincipals?$search="displayName:Team"&$count=true&$select=accountEnabled,displayName,publisherName,servicePrincipalType,signInAudience
ConsistencyLevel: eventual

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(accountEnabled,displayName,publisherName,servicePrincipalType,signInAudience)",
  "@odata.count":1396,
  "value":[
    {
      "accountEnabled":true,
      "displayName":"myContosoTeam",
      "publisherName":"Contoso",
      "servicePrincipalType":"Application",
      "signInAudience":"AzureADMyOrg"
    }
  ]
}

Example 5: Get service principals with less than two owners

Request

The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $count is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.

Note: The $count and $search query parameters are currently not available in Azure AD B2C tenants.

GET https://graph.microsoft.com/beta/serviceprincipals?$filter=owners/$count eq 0 or owners/$count eq 1&$count=true&$select=id,displayName
ConsistencyLevel: eventual

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName)",
    "@odata.count": 3,
    "value": [
        {
            "id": "c4ca17b7-4f3e-4c3a-b884-bfa4100c745d",
            "displayName": "Box"
        },
        {
            "id": "b5966bf3-e895-4f01-ae19-64f434c35b58",
            "displayName": "LinkedIn"
        },
        {
            "id": "ed17bd95-fbef-43eb-abea-9496e46eee42",
            "displayName": "BrowserStack"
        }
    ]
}