Inactive apps

Question

How can I list all the app registrations or service principals with last log on date? I intend to find out the apps that are inactive for past 2 years.

Answer 1

Hi @SJ ,

Thanks for your post! There are a few options for querying this data.

One option is to use the AADSpnSignInEventsBeta table in advanced hunting and query the LastSignIn by servicePrincipalId. This TechNet article has a sample query:

// Inactive Service Principals   
// Gets list of service principals with no sign-ins in the last ten days  
AADSpnSignInEventsBeta  
| where Timestamp > ago(30d)  
| where ErrorCode == 0  
| summarize LastSignIn = max(Timestamp) by ServicePrincipalId  
| where LastSignIn < ago(10d)  
| order by LastSignIn desc   

You can get the data either in the AADSpnSignInEventsBeta in Advanced Hunting (which requires an Azure AD Premium P2 license) or AADServicePrincipalSignInLogs in Microsoft Sentinel (but you need to have the data ingesting).

Another option though is to extract all of the enterprise applications, query their sign-in logs, and get the count of the sign-in logs over the past 30 days (the default retention time). You can export the ApplicationName, ApplicationID, and a count of how many sign-ins there have been for each enterprise application. I am not sure if we have an official Azure sample for this but there are some blog posts online that achieve this.

See additional examples:
Find stale enterprise applications
Auditing registered applications
KQL cleanup

Let me know if this is what you are looking for and if you have further questions.

-

If the information helped you, please Accept the answer. This will help us and other community members as well.

Answer 2

H,

I think you can try out the Graph API or Explorer to pull out the stats, try out here and here , this should give you good starting point and explore on the filters to get the data.

Hope this helps.
JS

==
Please Accept the answer if the information helped you. This will help us and others in the community as well.