Describe Azure/AzCli/GraphSPN here.


 * Get Graph roles {{{
az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?starts_with(value, 'Mail.')].[value, id]" --output table
Column1             Column

}}}

 * SPN vs App {{{
In the Microsoft identity platform, an application object describes an application. At deployment time, the Microsoft identity platform uses the application object as a blueprint to create a service principal, which represents a concrete instance of an application within a directory or tenant. The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. The Microsoft identity platform creates a service principal from an application object through consent.
}}}