How to find an AppReg name without access to Azure Active Directory

Why isn’t a Service Connection name, the AppRegistration name in Azure Active Directory?

I came across this by chance in the Azure DevOps portal.

To get immediate help, I refer you to one of these sections:


My intro

In a YAML pipeline we use a Service Connection, called a Service Principal or AppRegistration in the Azure AD environment.
Through this Service Connection we can access multiple resources in Azure.

In our test environment I created an Azure Storage Container in which I wanted to add files via the Service Connection and the Microsoft Graph API.

To upload files to an Azure Container you need an extra permission on the Container itself called ‘Storage Blob Data Contributor‘.
You can only add Service Principals in Azure by typing the full name (and not with the AppId).
Because I only have the Service Connection name in the Azure DevOps portal I assumed it would be the same name, but unfortunately that wasn’t the case.

How to find an AppReg name without access to Azure Active Directory
How to find an AppReg name without access to Azure Active Directory

You can click the link in the DevOps portal, but when your IT team has enabled the Restrict access to Azure AD administration portal option you can no longer see Objects in the Azure Active Directory because you get an error.

You do not have access

Your administrator has disabled the App registrations experience in the Azure portal. You can still register or manage applications using PowerShell or another client such as Visual Studio.

See the screenshot below for the option that enables this problem for you.

How to find an AppReg name without access to Azure Active Directory
How to find an AppReg name without access to Azure Active Directory

The information bubble shows the following information:

‘No’ lets a non-administrator use this Azure AD administration portal experience to access Azure AD resources that the user has permission to read, or manage resources they own. ‘Yes’ hides Azure AD data in the administration portal from non-administrators, but does not restrict such access using PowerShell or another client such as Visual Studio. Hiding Azure AD capabilities can help prevent users from misconfiguring the resources they own and does not provide any extra protection from a security standpoint.

This means that the information can be obtained, but has been made invisible in the Azure portal.

when we look at the link URL itself, we see AppregistrationId in there.

How to find an AppReg name without access to Azure Active Directory
How to find an AppReg name without access to Azure Active Directory
  • My URL is: https://portal.azure.com/3047d88e-63ee-4341-83a3-3086c6230826/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/e98b0879-1716-4c1d-8e0e-ab970e3be1b2/isMSAApp/
  • So my AppId is: e98b0879-1716-4c1d-8e0e-ab970e3be1b2

That’s great, because now we have an ID that we can search for in Azure Active Directory.

We can do this with the browser or PowerShell.

Not everyone wants or knows how to use PowerShell yet, so I’ll show you the browser way first. The next section contains the PowerShell option.


Show me how to find an app registration in the portal

When we go to the Azure Portal and open the Azure Active Directory App there, we can search for Objects in the portal. It will still tell you that you do not have access, but you can use the search option in the Azure AD app to find objects.

How to find an AppReg name without access to Azure Active Directory
How to find an AppReg name without access to Azure Active Directory

And now I can add the service principal to Azure resources by name.


Show me how to find an app registration via PowerShell

Start Powershell & import the AzureAD module.

You can log in via Connect-AzureAD with your normal user account and request the rest of the information via the cmdlet below.

Get-AzureADApplication -Filter "AppId eq 'YOUR ID HERE'"

AppId                                DisplayName
-----                                -----------
e98b0879-1716-4c1d-8e0e-ab970e3be1b2 BasWijdenesAppRegistration

I do not know the DisplayName or AppId, but can I still see the Service Principals in AzureAD?

But let’s say you do not have the DisplayName or AppId, but you probably know which app registration you need by seeing the DiplayName?

  • Open PowerShell and Import or install the AzureAD module
  • Login with Connect-AzureAD and your normal user account
  • You can then simply use the below cmdlet and search for the app in the list
Get-AzureADApplication -all $true

AppId                                DisplayName
-----                                -----------
28c1d9d8-a399-4a48-9286-8f619a476a47 Salesforce
33e794e6-0ff1-44f2-aa87-259a6fd7c8bf Box
e98b0879-1716-4c1d-8e0e-ab970e3be1b2 BasWijdenesAppRegistration

via the DisplayName you can see if your app is listed and if a name resembles it.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

Leave a Reply

Your email address will not be published.