Entra / Microsoft 365 · Applications
Disable Entra app registration
Disables a tenant-registered Entra application by setting its isDisabled property via Microsoft Graph.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-MgGraph -NoWelcome -Scopes Application.ReadWrite.All# Application.ReadWrite.All needed to update app properties
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
If (!(Get-MgContext).Account) {Write-Host "Connecting to Microsoft Graph..."Connect-MgGraph -NoWelcome -Scopes Application.ReadWrite.All# Application.ReadWrite.All needed to update app properties}$Application = Read-Host "Enter the name of the Entra application to deactivate"$Application = $Application.Trim()If ($Application -eq "") {Write-Host "No application name provided - exiting"Break}# Use a Graph request to find the application because Get-MgApplication or Get-MgBetaApplication don't return the isDisabled property# When the Graph SDK is updated, we should be able to use:# $ApplicationObject = Get-MgBetaApplication -Filter "displayName eq '$Application'"$Uri = ("https://graph.microsoft.com/beta/applications/?`$filter=displayname eq '{0}'" -f $Application)[array]$Data = Invoke-MgGraphRequest -Uri $Uri -Method Get -OutputType PsObjectIf ($Data.Value.Count -gt 1) {Write-Host ("Multiple applications found with the name {0}. Please refine your search." -f $Application)Break} Else {$ApplicationObject = $Data.Value}If (!$ApplicationObject) {Write-Host ("No application found with the name {0}." -f $Application)Break} Else {# Is the application already disabled?If ($ApplicationObject.IsDisabled -eq $true) {Write-Host ("The {0} application is already disabled." -f $ApplicationObject.DisplayName)Break}Write-Host ("Deactivating application {0} (ObjectId: {1})..." -f $ApplicationObject.DisplayName, $ApplicationObject.Id)}# Populate variables for the updateIf ($ApplicationObject.Notes) {$ExistingNotes = $ApplicationObject.Notes.Trim() + "`n"} Else {$ExistingNotes = $null}$NewDisplayName = $ApplicationObject.displayName + " (disabled)"$NewNotes = $ExistingNotes + "App disabled on " + (Get-Date -format "dd-MMM-yyyy HH:mm") + " by " + (Get-MgContext).account# Create the request body$RequestBody = @{}$RequestBody.Add("isDisabled", $true)$RequestBody.Add("displayName", $NewDisplayName)$RequestBody.Add("notes", $NewNotes)# First, remove application ownersTry {[array]$Owners = Get-MgApplicationOwner -ApplicationId $ApplicationObject.Id -All} Catch {Write-Host "Failed to retrieve application owners. Error details:"Write-Host $_.Exception.MessageBreak}If ($Owners) {ForEach ($Owner in $Owners) {Try {Remove-MgApplicationOwnerByRef -ApplicationId $ApplicationObject.Id -DirectoryObjectId $Owner.IdWrite-Host ("Removed owner {0} from {1} application." -f $Owner.additionalProperties.displayName, $ApplicationObject.DisplayName)} Catch {Write-Host ("Failed to remove owner {0}. Error details:" -f $Owner.additionalProperties.displayName)Write-Host $_.Exception.Message}}} Else {Write-Host "No owners found for the application."}# Update the applicationTry {Update-MgApplication -ApplicationId $ApplicationObject.Id -BodyParameter $RequestBodyWrite-Host ("{0} application deactivated." -f $ApplicationObject.DisplayName)} Catch {Write-Host "Failed to disable application. Error details:"Write-Host $_.Exception.Message}
Attribution
Author
Office365itpros