Https- Graph.microsoft.com V1.0 Applications (Desktop)

Whether you're automating app lifecycle, building an internal governance tool, or hunting for security misconfigurations, this endpoint is your scalpel. Use it with precision, respect its throttling limits, and always—always—validate the signInAudience before you deploy.

| Entity | Endpoint | Tenant scope | Analogy | |--------|----------|--------------|---------| | Application | /v1.0/applications | Home tenant only | Blueprint | | Service Principal | /v1.0/servicePrincipals | One per tenant | Built house |

POST /servicePrincipals

"requests": [ "id": "1", "method": "GET", "url": "/applications/id/passwordCredentials" , "id": "2", "method": "GET", "url": "/applications/id/keyCredentials" ]

But $expand on passwordCredentials or keyCredentials is . Avoid it unless necessary. Instead, fetch apps first (no expand), then batch request credentials: https- graph.microsoft.com v1.0 applications

Have you hit any weird edge cases with /applications ? Found an undocumented field? Let me know—I'm collecting them for a follow-up post.

In Microsoft Graph, an ( /applications ) is the global, multi-tenant definition of an app—its logo, requested permissions, redirect URIs, and certs/secrets. Avoid it unless necessary

Query for apps with unused delegated permissions: