Set Entra Application Tags with PowerShell

Andres Bohren
Set Entra Application Tags with PowerShell

Hi All,

A few Weeks ago, i wrote a PowerShell Script and an Azure Runbook to report expiring Clientsecrets and Certificates. With the Runbook, the Owners woul even receive an Email bevore the expiry date.

Depending on the Permissions of the Application, beeing Owner could add a Path for Privilege Escalation. So i was looking for another Way of storing the Information who is responsable of the App.

Tags

If you look at the Manifest of an App, there is a String Array Property called Tags

PowerShell

Let’s use the Microsoft.Graph PowerShell Modules

Connect-MgGraph -Scopes Application.ReadWrite.All -NoWelcome
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl #EXOExportImport

List all Entra Applications that have Tags

#List all Entra Applications with Tags
$EntraApps = Get-MgApplication -All
Foreach ($App in $EntraApps)
{
    $Tags = $App.Tags
    If ($Tags -ne "")
    {
        $AppDisplayName = $App.DisplayName
        $AppID = $App.ID
        Write-Host "AppId: $AppId DisplayName: $AppDisplayName Tags: $Tags"
    }
}

In other Tenants i see Applications from Power Virtual Agents

or Copilot Studio that already have Tags

Let’s use Update-MgApplication to add Information to the Tags Attribute and keep the current Information

#"power-virtual-agents-583659b7-0c01-0d8d-8d23-ae3bf6f2afa8"
$Tags = "power-virtual-agents-4c8fc720-106a-43b4-b069-128de3e32969"
Update-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" -Tags $Tags
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl Tags


#Add Array
$Tags = "power-virtual-agents-4c8fc720-106a-43b4-b069-128de3e32969"
$tagsarray = @()
$tagsarray += $Tags
$tagsarray += "Owner=a.bohren@icewolf.ch"
Update-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" -Tags $tagsarray
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl Tags

In the Documentation of Update-MgApplication it’s written that it’s not nullable.

Let’s check that - none of the code below is working

#Empty String
Update-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" -Tags ""
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl Tags

#Null
Update-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" -Tags $Null
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl Tags

#Empty Array
$EmptyArray = @()
Update-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" -Tags $EmptyArray
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl Tags

#Empty Square Brackets
Update-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" -Tags "[]"
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl Tags

Let’s use the Graph API with Invoke-MgGraphRequest - works like that.

Graph API Update application

#Native Graph API
$ContentType = "application/json"
$Body = @"
{
  "Tags": []
}
"@
Invoke-MgGraphRequest -URI "https://graph.microsoft.com/v1.0/applications/75bd99a9-7dc6-4f9f-9008-4752ee70d068" -Method "PATCH" -Body $Body -ContentType $ContentType
Get-MgApplication -ApplicationId "75bd99a9-7dc6-4f9f-9008-4752ee70d068" | fl Tags

Summary

I’ve shown you how to set Tags on Entra Applications. That’s the easy part. It’s more challenging to integrate this Information with your Joiner/Leaver Processes or integrate it with a CMDB or Application Inventory and keep the Information up to date.

Regards
Andres Bohren

EntraID Logo

PowerShell Logo