Managing Enterprise App Registrations in Entra ID

Why Do You Need This Script?

Organizations register applications in Entra ID to authenticate users and grant access to Microsoft services. However, some apps:
🔹 Lose valid secrets or certificates and stop working
🔹 Remain unused for long periods but retain permissions
🔹 Can be exploited if left unmanaged

IT administrators need to identify unused applications and those without valid credentials to prevent security risks. This PowerShell script automates the process by:
✅ Exporting all registered applications
✅ Identifying apps without valid secrets/certificates
✅ Finding applications not used in the last 90 days
✅ Deleting unused or orphaned apps in bulk

PowerShell Script to Manage Entra ID App Registrations

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.Read.All", "AppRoleAssignment.ReadWrite.All"

# Define export location
$ExportPath = "C:\Entra ID\App Registrations"
If (!(Test-Path -Path $ExportPath)) { New-Item -ItemType Directory -Path $ExportPath }

# Function to write logs
Function Write-Log {
    param ([string]$message)
    $logFile = "$ExportPath\AppLog.txt"
    "$((Get-Date).ToString('yyyy-MM-dd HH:mm:ss')) - $message" | Out-File -Append -FilePath $logFile
}

# Get all applications
$Apps = Get-MgApplication -All

# Export all applications
$Apps | Select-Object DisplayName, AppId, CreatedDateTime |
    Export-Csv -Path "$ExportPath\AllApplications.csv" -NoTypeInformation

Write-Log "Exported all app registrations."

# Find apps without valid secrets or certificates
$InvalidApps = $Apps | Where-Object { ($_.PasswordCredentials.Count -eq 0) -and ($_.KeyCredentials.Count -eq 0) }

# Export apps without valid credentials
$InvalidApps | Select-Object DisplayName, AppId |
    Export-Csv -Path "$ExportPath\AppsWithoutCredentials.csv" -NoTypeInformation

Write-Log "Exported applications without valid credentials."

# Find apps not used in the last 90 days
$UnusedApps = $Apps | Where-Object { $_.SignInAudience -ne "AzureADMyOrg" -and $_.CreatedDateTime -lt (Get-Date).AddDays(-90) }

# Export unused apps
$UnusedApps | Select-Object DisplayName, AppId |
    Export-Csv -Path "$ExportPath\UnusedApps.csv" -NoTypeInformation

Write-Log "Exported applications not used in last 90 days."

# Delete unused apps
Function Delete-Apps {
    param ($csvFile)
    $AppsToDelete = Import-Csv -Path $csvFile
    foreach ($app in $AppsToDelete) {
        try {
            Remove-MgApplication -ApplicationId $app.AppId -Confirm:$false
            Write-Log "Deleted application: $($app.AppId)"
        } catch {
            Write-Log "Error deleting application: $($_.Exception.Message)"
        }
    }
}

# Provide options to the admin
Write-Host "Select an option: `n1. Export all applications`n2. Export apps without valid secrets`n3. Export unused apps (90+ days)`n4. Delete unused apps"
$choice = Read-Host "Enter choice (1-4)"
Switch ($choice) {
    1 { Invoke-Item "$ExportPath\AllApplications.csv" }
    2 { Invoke-Item "$ExportPath\AppsWithoutCredentials.csv" }
    3 { Invoke-Item "$ExportPath\UnusedApps.csv" }
    4 { Delete-Apps "$ExportPath\UnusedApps.csv" }
}

Disconnect-MgGraph

Benefits of This Script

🔹 Security: Prevents attackers from exploiting unused apps.
🔹 Governance: Ensures all applications have valid authentication credentials.
🔹 Efficiency: Automates application cleanup, reducing IT workload.

This script helps organizations monitor app registrations, remove security risks, and enforce compliance effortlessly. 🚀