In Microsoft Graph, an ( /applications ) is the global, multi-tenant definition of an app—its logo, requested permissions, redirect URIs, and certs/secrets.
In this post, we’ll tear down the endpoint, explore its hidden properties, look at real-world automation patterns, and cover the security pitfalls that even seasoned admins miss. Before writing code, we need to clear up a massive source of confusion. https- graph.microsoft.com v1.0 applications
| Entity | Endpoint | Tenant scope | Analogy | |--------|----------|--------------|---------| | Application | /v1.0/applications | Home tenant only | Blueprint | | Service Principal | /v1.0/servicePrincipals | One per tenant | Built house | In Microsoft Graph, an ( /applications ) is
But that’s not the same as a ( /servicePrincipals ), which is the instance of that app in a specific tenant. | Entity | Endpoint | Tenant scope |
GET /applications?$expand=requiredResourceAccess Then compare with actual API calls. If you expose an API ( api.oauth2PermissionScopes ), the default scope user_impersonation is not automatically added. Many developers forget to define it, then wonder why "Sign in & read user profile" doesn't work. 6. Performance & Throttling Realities This endpoint lives under the /v1.0 workload, which has different throttling than /beta .
But $expand on passwordCredentials or keyCredentials is . Avoid it unless necessary. Instead, fetch apps first (no expand), then batch request credentials: