Entra – You can now disable registered applications (preview)

Leave a Comment / Azure Active Directory, Beta / Preview, Microsoft Entra / By / / Entra, Entra ID, Entra ID Application, Microsoft Entra, Microsoft Entra ID

This feature is currently in preview with its own support SLA and is not (yet?) available through the Entra ID portal.

As you know to deliver SSO authentication, Entra ID uses Enterprise Applications (either from catalog, application proxy or registered ones).

Administrators or application owners can now safely pause access to a registered application to temporarily block access while keeping metadata and currently active tokens without having to delete the application.

When an application is deactivated, it immediately stops receiving new access tokens, but existing tokens remain valid until they expire.

This can be useful for security investigations, temporary suspension of suspicious applications.

To be able to deactivate/re-activate Entra ID applications, you need to use Graph API (either with PowerShell (PowerShell Gallery | Microsoft.Graph) or Graph Explorer (Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph))

You also need the below permissions:

  • either Cloud Application Administrator or Application Administrator administration role

or

  • Application.ReadWrite.All (for delegated applications) or Application.ReadWrite.OwnedBy (for owned apps only)

You will need to get the registered application object ID either from the Entra ID portal or Graph API (GET https://graph.microsoft.com/v1.0/applications})

image

Once you have the object ID of the application you want to deactivate, run the below in Graph API

PATCH https://graph.microsoft.com/beta/applications/{registeredapplicationObjectId}

{
     “isDisabled”: true
}

image

To re-activate the application, you run the same but with “isDisabled” : false

You can also (as it is not available through the portal) list applications in disabled state using the below

GET https://graph.microsoft.com/beta/applications?$filter=isDisabled eq true

When an application has been disabled, when users try to access it they will get the below error

Sorry, but we’re having trouble signing you in.

AADSTS7000112: Application ‘<removed – application id> (<removed – application display name>) is disabled.

image

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.