Have you hit any weird edge cases with /applications ? Found an undocumented field? Let me know—I'm collecting them for a follow-up post.
After creation, you need to create a service principal for that app to appear in "Enterprise applications": https- graph.microsoft.com v1.0 applications
1. Over-privileged app roles via appRoles You can define custom roles in the appRoles array. The danger: any admin can assign users to those roles without extra approval if the app has been consented. Audit appRoles regularly. 2. Leaking identifierUris If your app uses identifierUris (e.g., api://my-app ), that URI becomes a potential token target. An attacker who can register a conflicting URI in another tenant cannot take over your app—but they can cause token validation confusion if your app incorrectly validates the aud claim. 3. requiredResourceAccess creep Apps can request requiredResourceAccess —permissions they need. Over time, developers add scopes but never remove old ones. Attackers can use orphaned, high-privilege permissions if an app's secret is compromised. Have you hit any weird edge cases with /applications
$cert = New-SelfSignedCertificate -Subject "CN=Automation" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec KeyExchange -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 $base64Cert = [System.Convert]::ToBase64String($cert.RawData) After creation, you need to create a service
In Microsoft Graph, an ( /applications ) is the global, multi-tenant definition of an app—its logo, requested permissions, redirect URIs, and certs/secrets.