App Discovery link

The discover command helps you find Azure AD app registrations and create profiles directly from them. This streamlines the setup process by automatically detecting your apps and their API permissions.

Quick Reference link

Overview link

Instead of manually entering Client IDs and configuring scopes, the discover command:

1. Searches your tenant for app registrations
2. Displays apps with creation dates and existing profile status
3. Fetches API permissions configured on the selected app
4. Creates a profile with the correct scope automatically

Discovering Apps link

Basic Discovery link

  entra-auth-cli discover
  

If you have existing profiles, you’ll be prompted to select a tenant or enter one manually.

Search with Patterns link

Use wildcard patterns to find specific apps:

  # Apps starting with "MyApp"
entra-auth-cli discover -s "MyApp*"

# Apps containing "API"
entra-auth-cli discover -s "*API*"

# Apps ending with "Service"
entra-auth-cli discover -s "*Service"

# Specific tenant with search
entra-auth-cli discover -t contoso.onmicrosoft.com -s "Prod*"
  

📸 Screenshot placeholder: discover-search-results.png Description: Terminal showing discover command results with list of matching app registrations

Understanding the Results link

Results Display link

When apps are found, they’re displayed in a table with:

📸 Screenshot placeholder: discover-results-table.png Description: Table showing discovered app registrations with columns for name, client ID, domain, and creation date

Visual Indicators link

The discovery interface uses colors to help you identify apps:

• Cyan: App registrations available for profile creation
• Orange: Apps that already have an associated profile

📸 Screenshot placeholder: discover-color-indicators.png Description: Discovery list showing cyan apps (new) and orange apps (existing profiles)

Filtering Results link

Interactive Filtering link

After the initial search, you can filter the results further:

  Filter by name (leave empty to show all): API
Found 5 of 23 applications
(↑↓ navigate, type to search, orange = existing profile)

> ← Refine filter
  MyApp-API (2024-Jan-15)
  Production-API (2024-Mar-20)
  Test-API (2024-Jun-08)
  Dev-API (2024-Sep-12)
  Staging-API (2024-Nov-30)
  

Filter Features link

• Type to filter: Enter text to narrow down by name or client ID
• Refine filter: Select “← Refine filter” to change your search
• Preserved filter: Your filter text is remembered when refining
• Pre-populated: The -s search pattern pre-fills the filter

📸 Screenshot placeholder: discover-filter-interface.png Description: Interactive filter prompt with example filter text and filtered results

Creating a Profile from Discovery link

Step 1: Select an App link

After filtering, select the app you want to create a profile for:

  Select an application:
> MyApp-API (2024-Jan-15)
  Production-API (2024-Mar-20)
  

Step 2: Name Your Profile link

  Profile name: myapp-api
  

The app’s display name (with spaces removed) is suggested as the default.

Step 3: Select Target API link

The tool automatically fetches API permissions configured on the app and presents them:

  Fetching API permissions...

Select the API resource to use:
> https://graph.microsoft.com/.default (MS Graph API)
  https://management.azure.com/.default (Azure Management)
  api://my-custom-api/.default (My Custom Backend)
  Enter custom scope
  

Scope Labels:

• MS Graph API - Microsoft Graph
• Azure Management - Azure Resource Manager
• App Name - Custom app registrations show their display name

📸 Screenshot placeholder: discover-api-permissions.png Description: Selection prompt showing detected API permissions with friendly labels

Step 4: Choose Authentication Method link

  Authentication method:
> ClientSecret
  Certificate
  PasswordlessCertificate
  

Step 5: Configure Secret or Certificate link

If you selected ClientSecret, you’ll see the new create/enter option:

  Client secret:
> Create new
  Enter existing
  

See Client Secret Creation for details on creating secrets directly in Azure.

📸 Screenshot placeholder: discover-secret-options.png Description: Selection prompt showing “Create new” and “Enter existing” options for client secret

Step 6: Profile Created link

  ✓ Profile 'myapp-api' created successfully!
  

API Permissions Discovery link

How It Works link

When you select an app, the tool:

1. Queries the app’s requiredResourceAccess property
2. Resolves each resource app ID to a friendly name
3. Presents the scopes as selectable options

Supported Resources link

The tool recognizes these well-known Microsoft resources:

Custom app registrations show their display name from Azure AD.

No Permissions Configured link

If the app has no API permissions configured:

  No API permissions configured on this app.
Enter scope: https://graph.microsoft.com/.default
  

You can manually enter the scope you need.

Required Permissions link

To use the discovery feature, your account needs:

The tool authenticates using interactive browser login with Microsoft Graph PowerShell’s public client.

First-Time Consent link

On first use, you’ll be prompted to sign in and consent:

  Opening browser for authentication...
  

After consent, your authentication is cached for subsequent operations.

Common Workflows link

Workflow 1: Quick Profile Setup link

Find and configure a new app in one command flow:

  # Start discovery
entra-auth-cli discover -s "MyNewApp*"

# Follow prompts:
# 1. Select app from filtered list
# 2. Accept or modify profile name
# 3. Select API from detected permissions
# 4. Choose authentication method
# 5. Create or enter secret
# Done!
  

Workflow 2: Multi-Environment Setup link

Create profiles for dev, staging, and production apps:

  # Dev
entra-auth-cli discover -s "*-dev"
# Create profile: myapp-dev

# Staging  
entra-auth-cli discover -s "*-staging"
# Create profile: myapp-staging

# Production
entra-auth-cli discover -s "*-prod"
# Create profile: myapp-prod
  

Workflow 3: Team Onboarding link

Help new team members discover available apps:

  # Show all team apps
entra-auth-cli discover -t team-tenant-id -s "TeamProject*"

# Filter interactively to find their specific app
# Create profile with guided prompts
  

Troubleshooting link

“No applications found” link

Cause: No apps match your search pattern

Solutions:

1. Broaden your search pattern (use *)
2. Check you’re in the correct tenant
3. Verify you have read access to app registrations

“Missing required permissions” link

Cause: Your account lacks Application.Read.All

Solutions:

1. Accept the consent prompt when it appears
2. Contact your Azure AD administrator for permission
3. Use config create as an alternative (manual entry)

“Application not found” when creating secret link

Cause: The app exists but you can’t read its details

Solutions:

1. Verify you have at least Reader access to the app
2. Check the app hasn’t been deleted
3. Try entering the secret manually instead

Best Practices link

✅ Use Descriptive Searches link

  # Good - specific pattern
entra-auth-cli discover -s "ProjectName-*"

# Avoid - too broad
entra-auth-cli discover -s "*"
  

✅ Check for Existing Profiles link

Orange-highlighted apps already have profiles. Consider:

• Using the existing profile
• Creating a new profile with a different name
• Updating the existing profile instead

✅ Verify API Permissions link

Before selecting a scope, verify it matches your needs:

• Check the app registration in Azure Portal
• Confirm the API permissions are granted (admin consent if needed)

✅ Name Profiles Consistently link

Use the environment and purpose in profile names:

  project-api-dev
project-api-staging
project-api-prod
  

See Also link

• Client Secret Creation - Create secrets directly in Azure
• Managing Profiles - Full profile management guide
• discover Command Reference - Complete command syntax
• Scopes & Permissions - Understanding OAuth scopes