Service principal API in Microsoft Graph is now generally available

Microsoft identity platform team

At Ignite 2019 we announced the general availability of the application API that allows you to programmatically create and configure applications. Building on that that momentum, we are excited to announce general availability of the service principal API in Microsoft Graph.

What is a service principal?

An application resource represents a global configuration of how an application integrates with the Microsoft identity platform. Developers configure a set of properties on the application resource like redirect URIs and secrets, that allows an application to request tokens from the Microsoft identity platform. The service principal resource represents an instance of an application within a specific tenant. Normally it’s created when someone from the tenant consents to use the application. A service principal is normally configured with a set of permissions and policies that allows the application to access various data sets within the customer’s tenant.

You can learn more about the relationship between applications and service principals by reading our applications and service principal objects in Azure Active Directory.

What does the service principal API offer?

With the service principal API, you can now programmatically manage instances of applications and control what an application can do within your tenant. For example, you can control who can use an application, and what resources the application has access to. This API allows developers and admins to programmatically add password credentials, roll expiring certificates, and manage delegated permission grants and application role assignments.

Service principals can be owners or members of other directory objects such as such as groups and roles. However, owner and member APIs for these resources do not yet return service principals in Microsoft Graph v1.0.  To ensure existing applications that are not expecting service principals when querying member and owner APIs are not broken, we will be rolling out these capabilities over the next couple of months.  If you want service principals when querying member and owner APIs we recommend using the beta version of Microsoft Graph until v1.0.

Get started with the service principal API in Microsoft Graph

With the service principal API now generally available you can switch from Azure AD Graph to Microsoft Graph for creating applications and managing application instances in target tenants. Microsoft Graph is the API for all your directory and access management needs and we encourage all developers to start using the Microsoft Graph as it includes many new Azure AD datasets and features that are not available in Azure AD Graph today. As we continue to invest in Microsoft Graph, we will add new Azure AD features to Microsoft Graph that will not be added to Azure AD Graph. Switch to Microsoft Graph to take advantage of these new APIs, all through one single endpoint.

Get started by reviewing our documentation and start using out service principal API today.

Tell us what you think!

We would love to hear your feedback through UserVoice or, through

– Microsoft identity platform team



Feedback usabilla icon