Managing enterprise applications in Microsoft Entra can be challenging, especially when you need to identify the owners of multiple apps. Without a clear view of app owners, it becomes difficult for admins to delegate ownership and ensure accountability. In this blog, we will explore the methods available to retrieve enterprise applications and their owners in Microsoft 365.
How to Get a List of Enterprise Apps and Their Assigned Owners in Microsoft Entra?
To manage and track the ownership of enterprise apps in Entra ID, use the following methods.
Get Enterprise Apps and Owners Through Microsoft Entra Admin Center
You can view all the enterprise applications and their owners in Microsoft Entra admin center by following the steps below.
- Sign in to the Microsoft Entra admin center.
- Navigate to Identity –> Applications –> Enterprise applications.
- Click on any desired application.
- To view the owners of the enterprise application, click on Owners under ‘Manage’ section on the left.
List Enterprise Applications and Owners Using PowerShell
Alternatively, you can use the Microsoft Graph PowerShell cmdlet Get-MgServicePrincipalOwner to retrieve the owner of an enterprise application.
After connecting to Microsoft Graph PowerShell, retrieve the list of enterprise applications using the following cmdlet.
1 |
Get-MgServicePrincipal -All |
To extract the owners of an enterprise application, execute the below with service principal id.
1 |
Get-MgServicePrincipalOwner -ServicePrincipalId <ID> |
The Challenge: While these methods work, they require either manually checking each application in the portal or running the cmdlet for every individual app. This approach can be highly time-consuming when managing multiple enterprise applications.
To address this challenge, we have crafted a PowerShell script where you can export all enterprise applications and their owners in no time. This script not only saves time but also provides additional insights, such as sign-in status, visibility, and role assignments, all in one go.
Download Script: GetEnterpriseAppsReport.ps1
Script Highlights
- The script exports all enterprise apps along with its owners in Microsoft Entra.
- Generates report for sign-in enabled applications alone.
- Exports report for sign-in disabled applications only.
- Filters applications that are hidden from all users except assigned users.
- Provides the list of applications that are visible to all users in the organization.
- Lists applications that are accessible to all users in the organization.
- Identifies applications that can be accessed only by assigned users.
- Fetches the list of ownerless applications in Microsoft Entra.
- Assists in filtering home tenant applications only.
- Exports applications from external tenants only.
- The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
- Exports the report result to CSV.
- The script can be executed with an MFA enabled account too.
- It can be executed with certificate-based authentication (CBA) too.
- The script is schedular-friendly.
Enterprise Applications and Their Owners Report – Sample Output
The script exports enterprise applications and their owners along with the following attributes:
- Enterprise App Name
- App Id
- App Owners
- App Creation Time
- User Sign-in Allowed
- User visibility
- Role Assignment Required
- Service Principal Type
- App Registration Name
- App Origin
- App Org Id
The exported ‘Enterprise applications and their owners’ report looks like the screenshot below.
Enterprise Applications and Their Owners Report – Script Execution Methods
- Download the script.
- Start the Windows PowerShell.
- Select any of the methods provided to execute the script.
Method 1: You can run the script with MFA and non-MFA accounts
1 |
./GetEnterpriseAppsReport.ps1 |
Running this script will export a report on all enterprise applications and their owners in your tenant.
Method 2: You also have the option to run the script using certificate-based authentication, which is schedular-friendly. When you want to run the script unattended, you can choose this method.
To use certificates, you must register the app in Microsoft Entra that helps you connect to MS Graph using certificate.
1 |
./GetEnterpriseAppsReport.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <Certthumbprint> |
Note – Depending on your requirements, you can create a self-signed certificate.
Make the Most Out of this Script
The script provides granular enterprise app reports with flexible filtering options, allowing you to analyze various scenarios effectively, such as:
- Get a list of enterprise applications with user sign-in enabled
- Identify enterprise applications disabled for users to sign-in
- Discover hidden enterprise applications in Entra ID
- Obtain enterprise applications that are visible to all users
- View enterprise applications accessible to all users
- Track down enterprise applications limited to specific users
- Export enterprise applications with no owners
- Find all enterprise applications of your home tenant
- Generate ownership details of external tenant enterprise applications
- More granular enterprise app reports
Get a List of Enterprise Applications with User Sign-In Enabled
When sign-in is enabled for an enterprise application, users can log in and access the application using access tokens issued by Entra ID for authentication. To view enterprise applications that allow user sign-ins, execute the script with the –SigninEnabledAppsOnly parameter.
1 |
./GetEnterpriseAppsReport.ps1 -SigninEnabledAppsOnly |
The exported report lists all enterprise applications that users can sign in via the My Apps portal, the application’s user access URL, or directly through the application URL.
Identify Enterprise Applications Disabled for Users to Sign-in
When admins need to block user access to an application, disabling sign-in prevents any tokens from being issued, ensuring the app is inaccessible to users. Admins can use the –SigninDisabledAppsOnly switch to list enterprise applications with sign-in access disabled.
1 |
./GetEnterpriseAppsReport.ps1 -SigninDisabledAppsOnly |
Executing the script will generate an enterprise app report where sign-in access is restricted to users.
Discover Hidden Enterprise Applications in Entra ID
When app visibility is set to ‘No,’ the application will not appear in the ‘My Apps’ portal or Microsoft 365 launcher for any users, except those explicitly assigned to it. To identify those hidden applications, use the -HiddenApps parameter with the script.
1 |
./GetEnterpriseAppsReport.ps1 -HiddenApps |
This command generates a report of all enterprise applications that admins want to hide from the end users.
Obtain Enterprise Applications That Are Visible to All Users
To find the enterprise apps visible to all users in the ‘My Apps’ portal and Microsoft 365 launcher, run the script with the –VisibleToAllUsers parameter.
1 |
./GetEnterpriseAppsReport.ps1 -VisibleToAllUsers |
The resulting report provides a detailed list of applications that are visible to all users.
View Enterprise Applications Accessible to All Users
Enterprise apps without defined user assignments are accessible to all users, and other services may retrieve access tokens for these apps. While this simplifies access, it also increases the risk of unauthorized use or data exposure. To identify such applications, run the script with –AccessScopeToAllUsers parameter.
1 |
./GetEnterpriseAppsReport.ps1 -AccessScopeToAllUsers |
This report helps admins identify potentially overexposed apps, allowing them to refine app permission management effectively.
Track Down Enterprise Applications Limited to Specific Users
When enterprise applications have assignments configured, only the specified users can access those apps. Use the –RoleAssignmentRequiredApps parameter to export the applications that are limited only to assigned users in the organization.
1 |
./GetEnterpriseAppsReport.ps1 -RoleAssignmentRequiredApps |
This report will help you identify and review any unwanted user assignments for enterprise applications in Entra ID. If necessary, you can easily remove user access to applications within Microsoft Entra ID.
Export Enterprise Applications with No Owners
Assigning ownerships for enterprise applications depends on how the application is registered in Entra ID. Ownership for enterprise applications is assigned only when created by non-admin users. Other app registrations often lack ownership, creating governance gaps. To identify ownerless enterprise apps, run the script with the -OwnerlessApps parameter.
1 |
./GetEnterpriseAppsReport.ps1 –OwnerlessApps |
To improve application security, admins can use the ownerless enterprise app report and delegate ownerships.
Find Enterprise Applications of Your Home Tenant
To identify enterprise applications that are configured and managed by your home tenant, simply run the script using the -HomeTenantAppsOnly parameter.
1 |
./GetEnterpriseAppsReport.ps1 -HomeTenantAppsOnly |
This command generates a comprehensive report listing all the enterprise applications and their assigned owners of your home Microsoft 365 tenant.
Note: Apps registered in Entra rely on client secrets and certificates for authentication. However, client secrets and certificates for all registered applications will expire after a set period. Admins should regularly check for applications with expiring credentials and renew them to avoid disruptions in application usage.
Generate Ownership Details of Apps from External Tenants
Admins must regularly monitor third-party apps to ensure compliance and remove access to apps that are unnecessary or no longer needed. To generate a report of enterprise applications owned by external tenants in your Microsoft Entra, execute the script with the –ExternalTenantAppsOnly parameter.
1 |
./GetEnterpriseAppsReport.ps1 -ExternalTenanyAppsOnly |
The report provides a detailed list of external tenant apps and their owners, offering insights into third-party app usage for better governance and security.
More Granular Enterprise App Report
Apart from the above-mentioned use cases, you can combine specific switches to create reports that cater to your exact needs. Here’s a few more precise reports on your enterprise apps.
- Sometimes, users might see an app in the My Apps portal but be unable to sign in. To locate such apps, run the script with -SigninDisabledAppsOnly and –VisibleToAllUsers switches.
1 |
./GetEnterpriseAppsReport.ps1 -SigninDisabledAppsOnly -VisibleToAllUsers |
- To view apps that are only accessible to assigned users within your home tenant, use the –HomeTenantAppsOnly and -RoleAssignmentRequiredApps parameters together.
1 |
./GetEnterpriseAppsReport.ps1 -HomeTenantAppsOnly -RoleAssignmentRequiredApps |
- To ensure sensitive data isn’t exposed, audit external tenant apps accessible to all users with the –ExternalTenantAppsOnly and -AccessScopeToAllUsers switches.
1 |
./GetEnterpriseAppsReport.ps1 -ExternalTenantAppsOnly -AccessScopeToAllUsers |
Audit Application Activities with AdminDroid for Free
In any organization, tracking application activities is crucial for maintaining security, ensuring compliance, and managing resources effectively. AdminDroid offers a powerful solution by categorizing and auditing both third-party and custom applications, giving admins deeper insights at no cost.
AdminDroid’s Comprehensive Application Audit Reports
Here’s a few AdminDroid’s reports on application audit.
- Added Applications – Verify the application objects created.
- Updated Applications – Review the updated application objects.
- Deleted Applications – Audit the deleted application objects.
- Consent to Applications – Examine the consents given to applications.
- OAuth2 Permission Grant – Check if the OAuth2 permission grants are given.
- App Role Assignments – Evaluate the app role assignments given to users or service principals.
- Service Principal Changes – Audit the service principal changes.
- Credential Changes – Track the credentials changes performed in service principals.
- Delegation Changes – Monitor authentication changes on the applications.
- All App Operations – Audit operations performed on application objects.
Moreover, AdminDroid’s free Entra auditing tool offers 120+ reports and dashboards for free. It includes reports on user activities, sign-ins, group dynamics, password changes, etc.
But that’s not all. AdminDroid’s Microsoft 365 management tool takes it a step further, offering over 1900 pre-built reports and 30+ dashboards covering every aspect of Microsoft 365 services. From SharePoint to Exchange Online, Teams to Power BI, and Yammer, AdminDroid covers it all. Plus, enjoy a 15-day premium trial with full access to advanced features like alerting, delegation, and compliance.
Download AdminDroid today and experience the ease of comprehensive Microsoft 365 reporting!
I hope this blog has been useful in providing you with the PowerShell script to retrieve all enterprise applications and their owners efficiently. For further queries, reach out to us in the comments section.