https- graph.microsoft.com v1.0 applications
Local National Weather Sports Traffic Watch Now
63  WX Alerts

Https- Graph.microsoft.com V1.0 Applications Apr 2026

| Limit | Value | |-------|-------| | Requests per 10 seconds per app | 2,000 | | Requests per 10 seconds per tenant | 5,000 | | Max $top | 999 |

$cert = New-SelfSignedCertificate -Subject "CN=Automation" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec KeyExchange -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 $base64Cert = [System.Convert]::ToBase64String($cert.RawData) https- graph.microsoft.com v1.0 applications

But the endpoint supports , $filter , $select , and $top — which most people underutilize. Useful query patterns # Get an app by its client ID (not GUID id) GET /applications?$filter=appId eq '11111111-2222-3333-4444-555555555555' Get apps with secrets expiring in the next 30 days GET /applications?$expand=passwordCredentials&$filter=passwordCredentials/any(p:p/endDateTime le 2025-05-17T00:00:00Z) Only fetch specific fields (reduces latency) GET /applications?$select=displayName,appId,web,identifierUris 3. Hidden & Undocumented Behaviors api and web are mutually exclusive You cannot have a public client app ( web redirect URIs) that also exposes an API ( api scopes) in the same object—without causing odd validation failures. If you need both, split into two app registrations. signInAudience controls the universe Many developers leave this as "AzureADMyOrg" (single-tenant). But if you ever want to allow personal Microsoft accounts or other Azure AD tenants, change it to AzureADMultipleOrgs or AzureADandPersonalMicrosoftAccount . | Limit | Value | |-------|-------| | Requests

Query for apps with unused delegated permissions: If you need both, split into two app registrations

POST /$batch

Have you hit any weird edge cases with /applications ? Found an undocumented field? Let me know—I'm collecting them for a follow-up post.