I am working on a feature to monitor 3rd party applications installed in Office 365 environments. In the Graph API I found a REST call to get the service principals on a tenant. I have also found articles and documentation detailing the relationship between service principals and applications in Azure AD. Therefore, I understand that a multi-tenant application will only have the application object on the host tenant for that application while each tenant running that application will have a separate service principal object for that application. See link below:
Application and service principal objects in Azure Active Directory (Azure AD)
However, when I try to use the Get Application REST call passing in the appId found inside the service principal I am only able to get results for applications that are hosted on the local tenant and not those provided by the Azure or AppSource markets. I am using this call:
When I try I get a Request_ResourceNotFound error code.
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'd3cef409-c681-492f-88c3-365b46bc00c5' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "1d6f2479-8b9b-4e96-8623-6fa10ed2a3e2",
"date": "2018-01-04T00:09:36"
}
}
}I even tried going around the Graph API to the Azure AD API where you can specify the tenant id, but had a similar result. This is the Azure API I tried:
I suspect there is a way to make one or both of these APIs work to get the applications hosted by other tenants, but the documentation on both is fairly brief and I haven't been able to figure it out.
From what I can tell most of the documentation around using the graph API or mention of service principals and applications is designed for people who are trying to get their own applications to show up in the UI for their tenant and not for a tool that is designed to monitor other applications like I am trying to do.
Finally I should mention that my ultimate goal is to gather as much metadata as I can about the applications above and beyond that which is readily available in the application object which appears to only contain a logo and some additional scopes etc. that are not found in the service principal. Ultimately I am looking for a way to connect the dots with the 3rd party application entries in the markets that have much richer information. So far I've been frustrated there too because they don't seem to share any reliably unique identifiers with the service principal or application objects that would allow me connect the dots. Making the connection on application name alone seems like a non-starter, especially as it appear the application name can be changed within the UI (for some reason) and affects the name in the service principal.
However, for those applications that may not be published in the official markets the Get Application API may be the best I can do.
Any help would be greatly appreciated. Thank you!