Microsoft Entra recommendation: Remove unused applications (preview)

Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to investigate unused applications. This recommendation is called StaleApps in the recommendations API in Microsoft Graph.

Prerequisites

There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed. For a full list of roles, see Least privileged roles by task.

Microsoft Entra role	Access type
Reports Reader	Read-only
Security Reader	Read-only
Global Reader	Read-only
Authentication Policy Administrator	Update and read
Exchange Administrator	Update and read
Security Administrator	Update and read
DirectoryRecommendations.Read.All	Read-only in Microsoft Graph
DirectoryRecommendations.ReadWrite.All	Update and read in Microsoft Graph

Some recommendations might require a P2 or other license. For more information, see Recommendation availability and license requirements.

Description

This recommendation shows up if your tenant has applications that haven't been used for over 90 days. The following scenarios are included in this recommendation:

• The app was created but never used.
• The app isn't soft deleted from the application portfolio.
• The app isn't used by the tenant where it resides nor any of its instances (Service Principal) in other tenants.
• It's a client app that calls other resource apps, but hasn't been issued any tokens in the past 90 days.
• It's a resource app that doesn't have a record of any client apps requesting a token in the past 90 days.

The following apps are exempted from this recommendation:

• Apps that are managed by Microsoft, including anything created or modified by Microsoft-owned applications.
• Apps that work with other apps to obtain tokens or are used to enable scenarios that don't require tokens.
  • For example, Peer-to-peer server, Application proxy, Microsoft Entra Cloud Sync, linked single-sign-on, password SSO, Office add-ins, and managed identities are excluded from this recommendation.
• Apps that were created within the past 90 days.

Value

Removing unused applications helps reduce the attack surface area and helps clean up the app portfolio of a tenant.

Action plan

This recommendation is available in the Microsoft Entra admin center and using the Microsoft Graph API. Once you identify the applications that aren't being used, you can decide whether to remove them or keep them based on your organization's needs. The action plan is therefore broken down into two parts:

1. Review the applications that are flagged as unused.
2. Determine if the application is needed and how to address it.

Microsoft Entra admin center

Applications that the recommendation identified appear in the list of Impacted resources at the bottom of the recommendation.

Review the applications

1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

2. Browse to Identity > Overview.

3. Select the Recommendations tab and select the Remove unused applications recommendation.

4. From the Impacted resources table, select More details to view more details.

5. Select the Resource link to go directly to the app registration for the app.

   • Alternatively, you can browse to Identity > Applications > App registrations and locate the application that was surfaced as part of this recommendation.

   

Determine if the application is needed

There are many reasons why an app might be unused. Consider the app's usage scenario and business function. For example:

• Was the app deprecated?
• Is the app used for a business function that only happens at certain times of the year?

To remove the application:

1. Soft delete the app from your tenant.
2. Wait 15 days and then permanently delete the app.

To indicate the application is still needed and skip the recommendation:

• Update the recommendation status to dismissed or postponed.
  • Use dismissed if determined that the app will remain inactive for the rest of its lifecycle.
  • Use dismissed if you think the app as included in the recommendation in error.
  • Use postponed if you need more time to review the app.

Microsoft Graph API

The following requests can be used to retrieve the recommendation and the impacted resources using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All and DirectoryRecommendations.ReadWrite.All permissions. For more information, see How to use Identity Recommendations.

1. Sign in to Graph Explorer.
2. Select GET as the HTTP method from the dropdown.

Review the applications

To retrieve all recommendations for your tenant:

GET https://graph.microsoft.com/beta/directory/recommendations

From the response, find the ID of the recommendation that matches the following pattern: {tenantId}_Microsoft.Identity.IAM.Insights.StaleApps.

To identify impacted resources:

GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.StaleApps

To filter the resources based on their status (for example, active resources):

GET https://graph.microsoft.com/beta/directory/recommendations/536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.StaleApps/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active' 

Identify the applicationObjectId or appId of the unused app you want to delete.

Sample response

{
    "id": "0000000-000c-0000-000-00000000000f_Microsoft.Identity.IAM.Insights.StaleApps",
    "recommendationType": "staleApps",
    "createdDateTime": "2022-06-16T01:18:55Z",
    "impactStartDateTime": "2022-06-16T01:18:55Z",
    "postponeUntilDateTime": null,
    "lastModifiedDateTime": "2024-07-26T14:17:24Z",
    "lastModifiedBy": "System",
    "displayName": "Remove unused applications",
    "featureAreas": [
        "applications"
    ],
    "insights": "Your tenant has some applications that have not been used in the past 90 days.",
    "benefits": "Removing unused applications improves the security posture and promotes good application hygiene.",
    "category": "identityBestPractice",
    "status": "active",
    "priority": "medium",
    "requiredLicenses": "microsoftEntraWorkloadId",
    "impactType": "apps",
    "actionSteps": [
        {
            "stepNumber": 1,
            "text": "1. Navigate to the app registration blade and delete the unused application."
        },
        {
            "stepNumber": 2,
            "text": "2. We suggest you take appropriate steps to ensure the application is not used in longer intervals of more than 90 days. If so, you should change the frequency of access such that the application’s last used time is within 90 days from its last access date."
        }
    ]
}

Determine if the application is needed

Consider the app's usage scenario and business function:

• Was the app deprecated?
• Is the app used for a business function that only happens at certain times of the year?

If you can delete the app, run one of the following queries to delete the application:

DELETE /applications/{applicationObjectId}
DELETE /applications(appId='{appId}')

Wait 15 days and then follow the Permanently delete an item Microsoft Graph API guidance.

Related content

• Review the Microsoft Entra recommendations overview
• Learn how to use Microsoft Entra recommendations
• Explore the Microsoft Graph API properties for recommendations