Is there a way to retrieve Azure cloud application details using the App ID (Client ID) of an application?

1
votes

I'm looking for a way to retrieve all details for an application using its Application ID (client_id). Something similar to the Graph endpoint https://graph.microsoft.com/v1.0/servicePrincipals?$search="appId:<client_id>", but this endpoint only returns data if the Application is used somewhere in my own tenant. I'm looking for a globally available method to retrieve this information for any available application. Specifically looking for information on whether the publisher of an application is verified.

Some of the information I'm looking for is also available by calling https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>

For example when using the client_id for the GMail app, calling this URL https://login.microsoftonline.com/common/adminconsent?client_id=2cee05de-2b8f-45a2-8289-2a06ca32c4c8 will prompt me for consent and shows me the name, publisher, logo and validation status. In this gase: Gmail, Google LLC and it's a verified publisher. I want to be able to retrieve this information programatically so I can enrich user consent warnings with this information in my SIEM across multiple tenants. And preferably without having to ask consent.

1
azuremicrosoft-graph-apioffice365-apps
Hi, @Vaisha Bernard. If my reply is helpful, please accept it as answer, thank you. - Pamela Peng

1 Answers

0
votes

This is not possible to retrieve all servicePrincipals from all the AD tenants, even though you use the common tenant. Because your application will know the tenant information only when you login. If user A from A tenant signed in, you can only get the users from A tenant. And if you are using common endpoint, you can not use client credential flow(get access without user).

You could use this API to get the list of applications in this organization.

GET https://graph.microsoft.com/v1.0/servicePrincipals

If you want to retrieve this information programatically without user login, you could obtain access token using client credential flow. You need to add application permissions and grant admin consent for them first.

This URL(https://login.microsoftonline.com/common/adminconsent?client_id=<Application Id>) is used to grant permissions to an application, see here. So you could not call it programatically without use login.

In a web browser, go to this URL, and sign in as a tenant administrator. The dialog box shows the list of permission the application requires, as specified in the application registration portal. Choose OK to grant the application these permissions.