Skip to main content

SYNOPSIS

Retrieves all Entra ID applications configured for SCIM provisioning.

SYNTAX

All (Default)

ByObjectId

ByDisplayName

DESCRIPTION

This function returns a list of all Entra ID applications with SCIM provisioning enabled, along with their synchronization job details and settings.

EXAMPLES

EXAMPLE 1

Retrieves all Entra ID applications with SCIM provisioning enabled.

EXAMPLE 2

Forces sequential processing even on PowerShell 7+ (useful for debugging or to avoid concurrent Graph calls).

EXAMPLE 3

Returns only Entra Cloud Sync jobs, excluding application provisioning (SCIM) jobs.

EXAMPLE 4

Forces the function to disconnect and reconnect to Microsoft Graph to obtain a new access token.

EXAMPLE 5

Exports the SCIM configuration details to an Excel file.

EXAMPLE 6

Retrieves the SCIM configuration for a specific application by its ObjectID.

EXAMPLE 7

Retrieves the SCIM configuration for a specific application by its DisplayName.

EXAMPLE 8

Retrieves the SCIM configuration for all applications whose DisplayName starts with “Azure”.

EXAMPLE 9

Retrieves the SCIM configuration for all applications whose DisplayName contains “Provisioning”.

EXAMPLE 10

Gets all SCIM provisioning jobs using managed identity and sends a health report for apps with synchronization issues.

PARAMETERS

-ObjectID

(Optional) Retrieves the SCIM configuration for a specific application by its ObjectID.

-DisplayName

(Optional) Retrieves the SCIM configuration for a specific application by its DisplayName. Supports wildcards (* and ?) for partial name matching (e.g. “Azure*”, “Portal”).

-ExcludeAttributeMappings

(Optional) If specified, skips the retrieval of the attribute mapping schema (ObjectMappings). This speeds up execution significantly when mapping details are not needed.

-IncludeFailedObjects

(Optional) If specified, fetches the list of objects currently in error (escrowed) for each synchronization job via the provisioning audit logs API. Requires the AuditLog.Read.All permission. If connecting interactively, this scope is added automatically.

-ForceNewToken

(Optional) Forces the function to disconnect and reconnect to Microsoft Graph to obtain a new access token.

-ExportToExcel

(Optional) If specified, exports the results to an Excel file in the user’s profile directory.

-ExportPath

Optional output directory for the Excel export (defaults to the user profile).

-RunFromAzureAutomation

(Optional) If specified, uses managed identity authentication instead of interactive authentication. This is useful when running the script in Azure environments like Azure Functions, Logic Apps, or VMs with managed identity enabled. When this parameter is used, NotificationRecipient and NotificationSender are required. PowerShell modules used in Azure Automation must be a MAXIMUM of version 2.25.0 when using PowerShell < 7.4.0, because starting from version 2.26.0, PowerShell 7.4.0 is required, and Azure Automation does not support it yet as of February 2026. For PowerShell 7.4.0+, there are no version restrictions. https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3147 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3151 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3166

-NotificationRecipient

(Required when RunFromAzureAutomation is enabled) Email address to receive synchronization health notifications.

-NotificationSender

(Required when RunFromAzureAutomation is enabled) Email address of the sender for synchronization health notifications.

-DisableParallel

(Optional) Forces sequential processing. By default, on PowerShell 7+ the function scans service principals in parallel (ForEach-Object -Parallel) to speed up discovery; on PowerShell 5.1 it always runs sequentially.

-ThrottleLimit

(Optional) Maximum number of concurrent runspaces when running in parallel. Default is 5. Keep this value moderate to avoid Microsoft Graph throttling (HTTP 429).

-EntraCloudSync

(Optional) Returns only Entra Cloud Sync jobs (synchronization templateId ‘AD2AADProvisioning’ or ‘AD2AADPasswordHash’), excluding application provisioning (SCIM) jobs. Note: Microsoft Graph has no tenant-wide endpoint to list synchronization jobs by templateId; jobs are nested per service principal, so this filter is applied client-side after enumerating service principals.

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

LIMITATIONS The groups assignments are not retrieved because based on https://main.iam.ad.ext.azure.com This function requires the Microsoft.Graph.Applications and Microsoft.Graph.Authentication modules. https://ps365.clidsys.com/docs/commands/Get-MgApplicationSCIM