discover
discover
Discover and search for Azure AD app registrations in your tenant, with the ability to create profiles directly from discovered apps.
Synopsis
entra-auth-cli discover [options]
Description
The discover command helps you find Azure AD app registrations in a tenant. You can search by wildcard patterns, filter results interactively, and create profiles directly from discovered apps with automatic API permission detection.
Flags
-t, --tenant
Tenant ID to search in. If not provided, you’ll be prompted to select from existing profile tenants or enter manually.
entra-auth-cli discover -t contoso.onmicrosoft.com
entra-auth-cli discover --tenant "12345678-1234-1234-1234-123456789012"
-s, --search
Search pattern with wildcard support. The pattern is also pre-populated in the interactive filter.
entra-auth-cli discover -s "MyApp*"
entra-auth-cli discover -s "*Test*"
entra-auth-cli discover -t contoso.onmicrosoft.com -s "Prod*"
Examples
Search for Apps
# Search all apps matching pattern
entra-auth-cli discover -s "MyApp*"
# Search in specific tenant
entra-auth-cli discover -t contoso.onmicrosoft.com -s "*API*"
# Find test apps
entra-auth-cli discover -s "*Test*"
# Contains pattern (matches anywhere in name)
entra-auth-cli discover -s "*Service*"
Interactive Discovery
# Start interactive discovery (prompts for tenant)
entra-auth-cli discover
# With pre-filtered results
entra-auth-cli discover -s "Production*"
Output
Results Table
When apps are found, they’re displayed in a formatted table:
┌────────────────────────────────────────────────────────────────────────────┐
│ 🔍 Found 5 application(s) │
├────────────────────┬──────────────────────────────────┬────────────────────┤
│ Display Name │ Client ID │ Created │
├────────────────────┼──────────────────────────────────┼────────────────────┤
│ MyApp-API │ 12345678-1234-1234-1234-123456.. │ 2024-Jan-15 │
│ MyApp-Web │ 87654321-4321-4321-4321-cba987.. │ 2024-Mar-20 │
│ MyApp-Service │ abcdef12-3456-7890-abcd-ef1234.. │ 2024-Jun-08 │
└────────────────────┴──────────────────────────────────┴────────────────────┘
Visual Indicators
- Cyan: Available for profile creation
- Orange: Already has an associated profile
Interactive Features
Filterable Search
After initial results, filter interactively:
Filter by name (leave empty to show all): API
Found 3 of 12 applications
(↑↓ navigate, type to search, orange = existing profile)
> ← Refine filter
MyApp-API (2024-Jan-15)
Production-API (2024-Mar-20)
Test-API (2024-Jun-08)
Profile Creation
Select an app to create a profile:
Would you like to create a profile from one of these? (y/n): y
Select an application:
> MyApp-API (2024-Jan-15)
Profile name: myapp-api
Fetching API permissions...
Target API:
> https://graph.microsoft.com/.default (MS Graph API)
api://my-backend/.default (My Backend Service)
Enter custom scope
Authentication method:
> ClientSecret
Client secret:
> Create new
Enter existing
API Permissions Discovery
The tool automatically detects configured API permissions:
| Resource Detected | Label Shown |
|---|---|
| Microsoft Graph | MS Graph API |
| Azure Management | Azure Management |
| Custom Apps | App display name |
Required Permissions
| Permission | Purpose |
|---|---|
Application.Read.All | Search and list app registrations |
Directory.Read.All | Resolve app names and service principals |
Application.ReadWrite.All | Create client secrets (optional) |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success (apps found or profile created) |
| 1 | Error occurred |
| 2 | No apps found matching pattern |
See Also
- App Discovery Guide - Detailed usage guide
- Client Secret Creation - Creating secrets from CLI
- get-token - Generate access tokens
- config - Profile management commands