Microsoft Entra recommendation: Remove unused credentials from apps (preview)

Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to remove unused credentials from apps. This recommendation is called StaleAppCreds in the recommendations API in Microsoft Graph.

Prerequisites

There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed. For a full list of roles, see Least privileged roles by task.

Microsoft Entra role	Access type
Reports Reader	Read-only
Security Reader	Read-only
Global Reader	Read-only
Authentication Policy Administrator	Update and read
Exchange Administrator	Update and read
Security Administrator	Update and read
DirectoryRecommendations.Read.All	Read-only in Microsoft Graph
DirectoryRecommendations.ReadWrite.All	Update and read in Microsoft Graph

Some recommendations might require a P2 or other license. For more information, see Recommendation availability and license requirements.

Description

Application credentials can include certificates and other types of secrets that need to be registered with that application. These credentials are used to prove the identity of the application. Only credentials actively in use by an application should remain registered with the application.

A credential is considered unused if:

• It has not been used in the past 30 days.
• It's a credential that was added to an application to be used for OAuth/OIDC flows or to the service principal for SAML flow.

The following credentials are exempted from the recommendation:

• Expired credentials do not show in the Impacted resources list.
• Credentials that were identified as unused but have expired since being flagged show as Completed in the Impacted resources list.

Value

Removing unused application credentials helps reduce the attack surface area and helps declutter the app portfolio of a tenant.

Action plan

This recommendation is available in the Microsoft Entra admin center and using the Microsoft Graph API.

Microsoft Entra admin center

Applications that the recommendation identified appear in the list of Impacted resources at the bottom of the recommendation.

1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

2. Browse to Identity > Overview.

3. Select the Recommendations tab and select the Remove unused credentials from applications recommendation.

4. Take note of the following details from the Impacted resources table.

   • The Resource column displays the application name
   • The ID column displays the application ID

5. Select More Details from the Actions column to view more details.

   

   Note

   If the origin of the credential is Service Principal, follow the guidance in the Service principals section.

6. From the panel that opens, select Update Credential to navigate directly to the Certificates & secrets area of the app registration to remove the unused credential.

   1. Alternatively, browse to Identity > Applications > App registrations and select the application that was surfaced as part of this recommendation.

      

   2. Then navigate to the Certificates & Secrets section of the app registration.

      

7. Locate the unused credential and remove it.

Microsoft Graph API

The following requests can be used to retrieve the recommendation and the impacted resources using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All and DirectoryRecommendations.ReadWrite.All permissions. For more information, see How to use Identity Recommendations.

1. Sign in to Graph Explorer.
2. Select GET as the HTTP method from the dropdown.

To retrieve all recommendations for your tenant:

GET https://graph.microsoft.com/beta/directory/recommendations

From the response, find the ID of the recommendation that matches the following pattern: {tenantId}_Microsoft.Identity.IAM.Insights.StaleAppCreds.

To identify impacted resources:

GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.StaleAppCreds

To filter the resources based on their status (for example, active resources):

GET https://graph.microsoft.com/eta/directory/recommendations/536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.StaleAppCreds/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active'

• Take note of the AppId, CredentialId, and origin of the credential you want to remove.
• Use these Microsoft Graph APIs to add a new password or key credential:
  • removePassword
  • removeKey

Sample response

{
  "id": "536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.StaleAppCreds",
  "recommendationType": "staleAppCreds",
  "createdDateTime": "2022-09-07T21:25:36Z",
  "impactStartDateTime": "2022-09-07T21:25:36Z",
  "postponeUntilDateTime": null,
  "lastModifiedDateTime": "2024-07-22T15:23:29Z",
  "lastModifiedBy": "System",
  "displayName": "Remove unused credentials from applications",
  "featureAreas": [
    "applications"
  ],
  "insights": "Your tenant has applications with credentials which have not been used in more than 30 days.",
  "benefits": "An application credential is used to get a token that grants access to a resource or another service.",
  "category": "identityBestPractice",
  "status": "active",
  "priority": "medium",
  "releaseType": "preview",
  "requiredLicenses": "microsoftEntraWorkloadId",
  "impactType": "apps",
  "actionSteps": [
    {
      "stepNumber": 1,
      "text": "1. For application resources, navigate to the app registration section in your tenant."
    },
    {
      "stepNumber": 2,
      "text": "2. In the ‘Certificate and Secrets’ blade, find the credential and remove it."
    },
    {
      "stepNumber": 3,
      "text": "3. To remove a credential from a service principal resource, use the MS Graph Service Principal API service action ",
      "actionUrl": {
        "displayName": "`removePassword`",
        "url": "https://docs.microsoft.com/graph/api/serviceprincipal-removepassword?view=graph-rest-1.0&tabs=http"
      }
    }
  ]
}

Service principals

If the origin of the credential is service principal, there are a few considerations and extra steps to follow.

Because there's often multiple service principals for a single application, it may be easier to navigate to Enterprise apps to view everything in one place.

1. In the Microsoft Entra admin center, browse to Identity > Applications > Enterprise applications.

2. Search for and open the application that was surfaced as part of this recommendation.

3. Select Single sign-on from the side menu.

   If the credential is a service principal but there are SAML certificates in use, you can identify the details of the credential using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All and DirectoryRecommendations.ReadWrite.All permissions. For more information, see How to use Identity Recommendations.

4. Sign in to Graph Explorer.

5. Select GET as the HTTP method from the dropdown.

6. Set the API version to beta.

7. Query the keyCredential and passwordCredential endpoints.

8. Use the removePassword or removeKey endpoints to remove the credential from the service principal.

Related content

• Review the Microsoft Entra recommendations overview
• Learn how to use Microsoft Entra recommendations
• Explore the Microsoft Graph API properties for recommendations
• Learn about app and service principal objects in Microsoft Entra ID