How To Use App Registration Deactivation

-

 If you’ve been following the steady stream of updates coming out of Entra, you may have noticed a particularly powerful addition to the Microsoft Graph API: the ability to deactivate app registrations. It’s a deceptively simple feature with major implications for anyone responsible for managing the ever‑growing list of applications inside their organization.

In this post, I’ll break down why this matters, how it can help you regain control of your app landscape, and—most importantly—how to automate it. I spent a good chunk of time figuring this out so you don’t have to.

So… what exactly is this new feature?

In short: you can now cleanly deactivate an app registration without deleting it.

Historically, if you needed to stop an app from being used in your tenant, your only real option was to delete the service principal. That worked fine for throwaway apps, but for anything with configuration, history, or future relevance, deletion was a non‑starter. You either lived with the risk or rebuilt everything later.

Instead of removing the app entirely, Entra now lets you block new access tokens immediately, while leaving all metadata, configuration, and audit history untouched. Existing tokens continue to work until they expire, giving you a safe, predictable transition window.

This makes incident response smoother, maintenance safer, and lifecycle management far less destructive—all without losing anything you might need later.

And the best part? It’s all powered through Microsoft Graph.

How to Deactivate via PowerShell

To deactivate the app via PowerShell, you will need the following permissions to deactivate: 

Application.ReadWrite.All

Once you have those permissions consented to (which should come up when you connect via Microsoft Graph) use the following code snippet to deactivate:

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$clientId = "<>"

$uri = "https://graph.microsoft.com/beta/applications(appId='$clientId')"

$body = @{
    isDisabled = $true
} | ConvertTo-Json

Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body -ContentType "application/json"

Reactivating the Application

Once we're satisfied, we can then reactivate the application by changing the variable to $false, as seen below:

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$clientId = "<>"

$uri = "https://graph.microsoft.com/beta/applications(appId='$clientId')"

$body = @{
    isDisabled = $false
} | ConvertTo-Json

Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body -ContentType "application/json"

Tying it all together

Using Microsoft Graph to deactivate app registrations is a clean, reversible way to take control of the applications in your tenant without resorting to drastic measures. Hopefully we’ll see this feature surface in the Entra portal soon as a simple toggle. Until then, this approach gives you a safe, predictable way to disable problematic apps without purging them outright.

Until next week folks!


Comments

Post a Comment

Popular posts from this blog

Using Power Automate to Update Contact Information

-
 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

-
Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

-
Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more