Microsoft Entra recommendation: Remove unused applications (preview)

Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to investigate unused applications. This recommendation is called StaleApps in the recommendations API in Microsoft Graph.

Prerequisites

There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed. For a full list of roles, see Least privileged roles by task.

Microsoft Entra role Access type
Reports Reader Read-only
Security Reader Read-only
Global Reader Read-only
Authentication Policy Administrator Update and read
Exchange Administrator Update and read
Security Administrator Update and read
DirectoryRecommendations.Read.All Read-only in Microsoft Graph
DirectoryRecommendations.ReadWrite.All Update and read in Microsoft Graph

Some recommendations might require a P2 or other license. For more information, see Recommendation availability and license requirements.

Description

This recommendation shows up if your tenant has applications that haven't been used for over 90 days. The following scenarios are included in this recommendation:

  • The app was created but never used.
  • The app isn't soft deleted from the application portfolio.
  • The app isn't used by the tenant where it resides nor any of its instances (Service Principal) in other tenants.
  • It's a client app that calls other resource apps, but hasn't been issued any tokens in the past 90 days.
  • It's a resource app that doesn't have a record of any client apps requesting a token in the past 90 days.

The following apps are exempted from this recommendation:

  • Apps that are managed by Microsoft, including anything created or modified by Microsoft-owned applications.
  • Apps that work with other apps to obtain tokens or are used to enable scenarios that don't require tokens.
  • Apps that were created within the past 90 days.

Value

Removing unused applications helps reduce the attack surface area and helps clean up the app portfolio of a tenant.

Action plan

This recommendation is available in the Microsoft Entra admin center. Once you identify the applications that aren't being used, you can decide whether to remove them or keep them based on your organization's needs. The action plan is therefore broken down into two parts:

  1. Review the applications that are flagged as unused.
  2. Determine if the application is needed and how to address it.

Applications that the recommendation identified appear in the list of Impacted resources at the bottom of the recommendation.

Review the applications

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. Browse to Identity > Overview.

  3. Select the Recommendations tab and select the Remove unused applications recommendation.

  4. From the Impacted resources table, select More details to view more details.

  5. Select the Resource link to go directly to the app registration for the app.

    • Alternatively, you can browse to Identity > Applications > App registrations and locate the application that was surfaced as part of this recommendation.

    Screenshot of the Microsoft Entra app registration page.

Determine if the application is needed

There are many reasons why an app might be unused. Consider the app's usage scenario and business function. For example:

  • Was the app deprecated?
  • Is the app used for a business function that only happens at certain times of the year?

To remove the application:

  1. Soft delete the app from your tenant.
  2. Wait 15 days and then permanently delete the app.

To indicate the application is still needed and skip the recommendation:

  • Update the recommendation status to dismissed or postponed.
    • Use dismissed if determined that the app will remain inactive for the rest of its lifecycle.
    • Use dismissed if you think the app as included in the recommendation in error.
    • Use postponed if you need more time to review the app.