diff --git a/.gitignore b/.gitignore
index 4ca467f3b..5deccb198 100644
--- a/.gitignore
+++ b/.gitignore
@@ -170,6 +170,7 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.pfx
+*.cer
 *.publishsettings
 node_modules/
 orleans.codegen.cs
diff --git a/src/Commands/Apps/AddAzureADServicePrincipalAppRole.cs b/src/Commands/Apps/AddAzureADServicePrincipalAppRole.cs
index 7980922c8..2ae1605a5 100644
--- a/src/Commands/Apps/AddAzureADServicePrincipalAppRole.cs
+++ b/src/Commands/Apps/AddAzureADServicePrincipalAppRole.cs
@@ -1,15 +1,17 @@
-using System.Management.Automation;
 using PnP.PowerShell.Commands.Attributes;
 using PnP.PowerShell.Commands.Base;
 using PnP.PowerShell.Commands.Base.PipeBinds;
 using PnP.PowerShell.Commands.Enums;
 using PnP.PowerShell.Commands.Model.AzureAD;
 using PnP.PowerShell.Commands.Utilities;
+using System.Management.Automation;
 
 namespace PnP.PowerShell.Commands.Apps
 {
     [Cmdlet(VerbsCommon.Add, "PnPAzureADServicePrincipalAppRole")]
-    [RequiredApiApplicationPermissions("graph/AppRoleAssignment.ReadWrite.All", "Application.Read.All")]
+    [RequiredApiDelegatedOrApplicationPermissions("graph/AppRoleAssignment.ReadWrite.All")]
+    [RequiredApiDelegatedOrApplicationPermissions("graph/Application.Read.All")]
+    [RequiredApiDelegatedOrApplicationPermissions("graph/Application.ReadWrite.All")]
     [Alias("Add-PnPEntraIDServicePrincipalAppRole")]
     public class AddAzureADServicePrincipalAppRole : PnPGraphCmdlet
     {
@@ -30,13 +32,13 @@ public class AddAzureADServicePrincipalAppRole : PnPGraphCmdlet
         public ServicePrincipalPipeBind Resource;
 
         [Parameter(Mandatory = true, ParameterSetName = ParameterSet_BYBUILTINTYPE)]
-        public ServicePrincipalBuiltInType BuiltInType;  
+        public ServicePrincipalBuiltInType BuiltInType;
 
         protected override void ExecuteCmdlet()
         {
             var principal = Principal.GetServicePrincipal(this, Connection, AccessToken);
 
-            if(principal == null)
+            if (principal == null)
             {
                 throw new PSArgumentException("Service principal not found", nameof(Principal));
             }
@@ -59,8 +61,8 @@ protected override void ExecuteCmdlet()
             {
                 appRole = AppRole.AppRole;
             }
-            
-            if(appRole == null)
+
+            if (appRole == null)
             {
                 throw new PSArgumentException("AppRole not found", nameof(AppRole));
             }
diff --git a/src/Commands/Apps/GetAzureADServicePrincipal.cs b/src/Commands/Apps/GetAzureADServicePrincipal.cs
index bc7671a14..fd92b3a7e 100644
--- a/src/Commands/Apps/GetAzureADServicePrincipal.cs
+++ b/src/Commands/Apps/GetAzureADServicePrincipal.cs
@@ -1,16 +1,17 @@
-using System;
-using System.Collections.Generic;
-using System.Management.Automation;
 using PnP.PowerShell.Commands.Attributes;
 using PnP.PowerShell.Commands.Base;
 using PnP.PowerShell.Commands.Enums;
 using PnP.PowerShell.Commands.Model.AzureAD;
 using PnP.PowerShell.Commands.Utilities;
+using System;
+using System.Collections.Generic;
+using System.Management.Automation;
 
 namespace PnP.PowerShell.Commands.Apps
 {
     [Cmdlet(VerbsCommon.Get, "PnPAzureADServicePrincipal", DefaultParameterSetName = ParameterSet_ALL)]
-    [RequiredApiApplicationPermissions("graph/Application.Read.All")]
+    [RequiredApiDelegatedOrApplicationPermissions("graph/Application.Read.All")]
+    [RequiredApiDelegatedOrApplicationPermissions("graph/Application.ReadWrite.All")]
     [OutputType(typeof(List<AzureADServicePrincipal>))]
     [Alias("Get-PnPEntraIDServicePrincipal")]
     public class GetAzureADServicePrincipal : PnPGraphCmdlet