I was having a chat with one of our Enterprise Grade client’s and they would like to cleanup any unused or no longer required Enterprise Applications on Azure. So, we figured we could try and determine if the Applications are being used by, looking at the last sign-in date against said Applications.
However the issue with this, is that Azure only keeps sign-in logs for 30 days so a lot of the Application may show the last login as “Never or more than 30 days”.
There are probably far better ways of determining this and/or things I may have not considered or thought of, so if you have any suggestions please let us know.
Therefore we have come up with the below PowerShell script to get a list of all the Enterprise Applications on the Tenant, as well as the last signin date, if its enabled for user sign in, if user assignment is required, and the owner of said Application.
However, if you have not been adding users as owners to these applications when created, its going to return a blank field. So we would recommend that if you are not adding owners when creating these Applications, that you start doing so (I am guilty of not doing this, so I should probably start doing this myself)
**Please note that this is only an indication and should be taken as such, as there may be an Application that is used sporadically or a Native M365 Application will be listed as well. You will need to determine yourself, if this Application is dormant and can be removed**
Please ensure that you updated the Export location, as required.
# Connect to Azure AD
Connect-AzureAD
# Get all service principal objects representing Azure enterprise applications
$apps = Get-AzureADServicePrincipal -All $true | Where-Object { $_.AppId -ne $null -and $_.Tags -contains "WindowsAzureActiveDirectoryIntegratedApp" }
# Initialize an array to store the results
$results = @()
$countapps = $apps.count
$number = 1
# Loop through each application and get its last sign-in attempt
foreach ($app in $apps) {
$signinLog = Get-AzureADAuditSignInLogs -Filter "AppDisplayName eq '$($app.DisplayName)'" -Top 1
# Get the display name, AppId, and owners of the application
$displayName = $app.DisplayName
$appId = $app.AppId
$AccountEnabled = $app.AccountEnabled
$AppRoleAssignmentRequired = $app.AppRoleAssignmentRequired
$owners = Get-AzureADServicePrincipalOwner -ObjectId $app.ObjectId | Select DisplayName, UserPrincipalName
# Get the last sign-in attempt, if any
if ($signinLog -ne $null) {
$lastSignIn = $signinLog.CreatedDateTime
} else {
$lastSignIn = "Last Login - Never or more than 30 days"
}
Write-Output "$($app.DisplayName): $lastSignIn : App $number of $countapps"
$number ++
# Add the application details to the results array
$results += [PSCustomObject] @{
DisplayName = $displayName
AppId = $appId
EnabledForSignIn = $AccountEnabled
UserAssginmentRequired = $AppRoleAssignmentRequired
OwnersName = $owners.DisplayName -join "; "
OwnersEmail = $owners.UserPrincipalName -join "; "
LastSignIn = $lastSignIn
}
}
# Export the results to a CSV file
$results | Export-Csv -Path "C:\scripts\AppRegLastLogon\AzureEnterpriseApps.csv" -NoTypeInformation
Sample of the output, while running the script.
**I have included a count of the number of applications processed out of the total number of returned Enterprise Applications **
Below is a sample of the data exported to a csv file
Depending on the size of your environment (Number of Enterprise Applications), the script can take a significant amount of time to run.
Once we have the output, our idea is to look at all the applications that have no recent sign-in attempts and start disabling user sign’s (Setting the “Enabled for users to sign-in” from “Yes” to “No”). This is our attempt at a scream test, to check if any users are still signing into these Applications etc.
If there are users still signing into these Applications, the rollback is as simple as setting “Enabled for users to sign-in” back to “Yes”.
Once the Enterprise Application has been disabled for sometime, you can then start considering the removal/deletion of these Azure Enterprise Applications.
**Again this does need to be done with care and its up to you if this is the right course of action to take for your environment**
Please note that we take no responsibility for any issues caused by these commands and it is up to YOU to review and ensure that these commands can be run in your environment.