Skip to content

GraphApplication

Represents Entra ID applications collected from Microsoft Graph.

Labels: :GraphObject:GraphApplication

Properties:

  • id - Application object ID (primary key)
  • displayName - Application's display name
  • appId - Application ID (client ID)
  • publisherDomain - Publisher domain
  • signInAudience - Sign-in audience configuration
  • identifierUris - Array of identifier URIs
  • redirectUris - Combined array of all redirect URIs (web + SPA + public client)
  • publicClientRedirectUris - Array of public client redirect URIs
  • spaRedirectUris - Array of single-page application redirect URIs
  • webRedirectUris - Array of web application redirect URIs
  • implicitAccessToken - Whether implicit grant flow access token issuance is enabled
  • implicitIdToken - Whether implicit grant flow ID token issuance is enabled

Relationships

Incoming

  • GraphObjectOWNSGraphApplication - Owners of the application
  • GraphObjectAPPROLEGraphApplication - Objects with app role assignments
  • ClientSecretAUTHENTICATESGraphApplication - Client secrets for authentication
  • CertificateAUTHENTICATESGraphApplication - Certificates for authentication

Outgoing

  • GraphApplicationHAS_APPROLEGraphAppRole - App roles defined by the application
  • GraphApplicationFEDERATED_CREDENTIALFederatedIdentityCredential - Federated identity credentials

Examples

// Find all multi-tenant applications
MATCH (app:GraphApplication)
WHERE app.signInAudience = "AzureADMultipleOrgs"
RETURN app.displayName, app.appId, app.publisherDomain

// Find applications and their owners
MATCH (owner:GraphObject)-[:OWNS]->(app:GraphApplication)
RETURN app.displayName, collect(owner.displayName) AS owners

// Find applications with federated credentials
MATCH (app:GraphApplication)-[:FEDERATED_CREDENTIAL]->(cred:FederatedIdentityCredential)
RETURN app.displayName, cred.issuer, cred.subject