Skip to main content

SYNOPSIS

Retrieves all Microsoft Entra ID applications and their credentials (key and password).

SYNTAX

All (Default)

Get-MgApplicationCredential [-ExportToExcel] [-ForceNewToken] [-RunFromAzureAutomation]
 [-ExpirationThresholdDays <Int32>] [-NotificationRecipient <String>] [-NotificationSender <String>]
 [-ProgressAction <ActionPreference>] [<CommonParameters>]

ByObjectId

Get-MgApplicationCredential [-ObjectID <String>] [-ExportToExcel] [-ForceNewToken] [-RunFromAzureAutomation]
 [-ExpirationThresholdDays <Int32>] [-NotificationRecipient <String>] [-NotificationSender <String>]
 [-ProgressAction <ActionPreference>] [<CommonParameters>]

ByDisplayName

Get-MgApplicationCredential [-DisplayName <String>] [-ExportToExcel] [-ForceNewToken] [-RunFromAzureAutomation]
 [-ExpirationThresholdDays <Int32>] [-NotificationRecipient <String>] [-NotificationSender <String>]
 [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

This function returns a list of all Microsoft Entra ID applications with their credentials information, including key credentials and password credentials, along with their validity status. The function also retrieves the owners of each application.

EXAMPLES

EXAMPLE 1

Get-MgApplicationCredential
Retrieves all Microsoft Entra ID applications and their credentials.

EXAMPLE 2

Get-MgApplicationCredential -ObjectID "xxx-xxx-xxx"
Retrieves the credentials for a specific application by its ObjectID.

EXAMPLE 3

Get-MgApplicationCredential -DisplayName "My Application"
Retrieves the credentials for a specific application by its DisplayName.

EXAMPLE 4

Get-MgApplicationCredential -ForceNewToken
Forces the function to disconnect and reconnect to Microsoft Graph to obtain a new access token.

EXAMPLE 5

Get-MgApplicationCredential -ExportToExcel
Gets all application credentials and exports them to an Excel file.

EXAMPLE 6

Gets all application credentials using managed identity, exports them to an Excel file, and sends notification for credentials expiring within 15 days.

EXAMPLE 7

Get-MgApplicationCredential -RunFromAzureAutomation -ExpirationThresholdDays 30 -NotificationRecipient 'admin@company.com' -NotificationSender 'automation@company.com'
Gets all application credentials using managed identity authentication and sends notification for credentials expiring within 30 days.

EXAMPLE 8

Get-MgApplicationCredential -RunFromAzureAutomation -ExpirationThresholdDays 7 -NotificationRecipient 'admin@company.com' -NotificationSender 'automation@company.com'
Gets all application credentials using managed identity and sends email notification for credentials expiring within 7 days.

PARAMETERS

-ObjectID

(Optional) Retrieves the credentials for a specific application by its ObjectID. 
Type: String
Parameter Sets: ByObjectId
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DisplayName

(Optional) Retrieves the credentials for a specific application by its DisplayName. 
Type: String
Parameter Sets: ByDisplayName
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ExportToExcel

(Optional) If specified, exports the results to an Excel file in the user’s profile directory. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ForceNewToken

(Optional) Forces the function to disconnect and reconnect to Microsoft Graph to obtain a new access token. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-RunFromAzureAutomation

(Optional) If specified, uses managed identity authentication instead of interactive authentication. This is useful when running the script in Azure environments like Azure Functions, Logic Apps, or VMs with managed identity enabled. When this parameter is used, ExpirationThresholdDays, NotificationRecipient and NotificationSender are required. PowerShell modules used in Azure Automation must be a MAXIMUM of version 2.25.0 when using PowerShell < 7.4.0, because starting from version 2.26.0, PowerShell 7.4.0 is required, and Azure Automation does not support it yet as of February 2026. For PowerShell 7.4.0+, there are no version restrictions. https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3147 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3151 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3166 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ExpirationThresholdDays

(Required when RunFromAzureAutomation is enabled) Number of days threshold for expiration notification. Default is 30 days. 
Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: 30
Accept pipeline input: False
Accept wildcard characters: False

-NotificationRecipient

(Required when RunFromAzureAutomation is enabled) Email address to receive expiration notifications. 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-NotificationSender

(Required when RunFromAzureAutomation is enabled) Email address of the sender for expiration notifications. 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

https://ps365.clidsys.com/docs/commands/Get-MgApplicationCredential