Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
A service principal can retrieve its own application and service principal details without being granted any application permissions.
The Application.ReadWrite.OwnedBy permission allows an app to call GET /applications and GET /servicePrincipals to list all applications and service principals in the tenant. This scope of access has been allowed for the permission.
HTTP request
You can address the service principal using either its id or appId. id and appId are referred to as the Object ID and Application (Client) ID, respectively, in app registrations in the Microsoft Entra admin center.
GET /servicePrincipals/{id}
GET /servicePrincipals(appId='{appId}')
Optional query parameters
This method supports the $select and $expandOData query parameters to help customize the response.
By default, this API doesn't return the public key value of the key in the keyCredentials property unless keyCredentials is specified in a $select query.
For example, $select=id,appId,keyCredentials.
The use of $select to get keyCredentials for service principals has a throttling limit of 150 requests per minute for every tenant.
Providing the Accept-Language header with a supported language code, such as es-ES or de-DE, will return localized values where available. Note that the header is not supported for list operations.
Request body
Don't supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a servicePrincipal object in the response body.
GET https://graph.microsoft.com/v1.0/servicePrincipals/00063ffc-54e9-405d-b8f3-56124728e051
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].GetAsync();
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").get();
GET https://graph.microsoft.com/v1.0/servicePrincipals/7408235b-7540-4850-82fe-a5f15ed019e2?$select=id,appId,displayName,appRoles,oauth2PermissionScopes,resourceSpecificApplicationPermissions
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Select = new string []{ "id","appId","displayName","appRoles","oauth2PermissionScopes","resourceSpecificApplicationPermissions" };
});
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc service-principals get --service-principal-id {servicePrincipal-id} --select "id,appId,displayName,appRoles,oauth2PermissionScopes,resourceSpecificApplicationPermissions"
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").get(requestConfiguration -> {
requestConfiguration.queryParameters.select = new String []{"id", "appId", "displayName", "appRoles", "oauth2PermissionScopes", "resourceSpecificApplicationPermissions"};
});
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,appId,displayName,appRoles,publishedPermissionScopes)/$entity",
"id": "7408235b-7540-4850-82fe-a5f15ed019e2",
"appId": "00000003-0000-0000-c000-000000000000",
"displayName": "Microsoft Graph",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allows the app to read all class assignments without grades for all users without a signed-in user.",
"displayName": "Read all class assignments without grades",
"id": "6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e",
"isEnabled": true,
"origin": "Application",
"value": "EduAssignments.ReadBasic.All"
}
],
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allows the app to see your users' basic profile (e.g., name, picture, user name, email address)",
"adminConsentDisplayName": "View users' basic profile",
"id": "14dad69e-099b-42c9-810b-d002981feec1",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allows the app to see your basic profile (e.g., name, picture, user name, email address)",
"userConsentDisplayName": "View your basic profile",
"value": "profile"
}
]
}
Example 3: Get the custom security attribute assignments of the specified service principal
The following example gets the custom security attributes of the specified service principal.
Attribute #1
Attribute set: Engineering
Attribute: Project
Attribute data type: Collection of Strings
Attribute value: ["Baker","Cascade"]
Attribute #2
Attribute set: Engineering
Attribute: CostCenter
Attribute data type: Collection of Integers
Attribute value: [1001]
Attribute #3
Attribute set: Engineering
Attribute: Certification
Attribute data type: Boolean
Attribute value: true
Attribute #4
Attribute set: Marketing
Attribute: Level
Attribute data type: String
Attribute value: "Public"
To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the CustomSecAttributeAssignment.Read.All or CustomSecAttributeAssignment.ReadWrite.All permission.
GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}?$select=customSecurityAttributes
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Select = new string []{ "customSecurityAttributes" };
});
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc service-principals get --service-principal-id {servicePrincipal-id} --select "customSecurityAttributes"
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").get(requestConfiguration -> {
requestConfiguration.queryParameters.select = new String []{"customSecurityAttributes"};
});
If there are no custom security attributes assigned to the service principal or if the calling principal does not have access, the response will look like:
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.