Export All Enterprise Apps and Their Owners in Microsoft Entra

Managing enterprise applications in Microsoft Entra can be challenging, especially when you need to identify the owners of multiple apps. Without a clear view of app owners, it becomes difficult for admins to delegate ownership and ensure accountability. In this blog, we will explore the methods available to retrieve enterprise applications and their owners in Microsoft 365.

To manage and track the ownership of enterprise apps in Entra ID, use the following methods.

You can view all the enterprise applications and their owners in Microsoft Entra admin center by following the steps below.

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Identity –> Applications –> Enterprise applications.
3. Click on any desired application.
4. To view the owners of the enterprise application, click on Owners under ‘Manage’ section on the left.

Alternatively, you can use the Microsoft Graph PowerShell cmdlet Get-MgServicePrincipalOwner to retrieve the owner of an enterprise application.

After connecting to Microsoft Graph PowerShell, retrieve the list of enterprise applications using the following cmdlet.

To extract the owners of an enterprise application, execute the below with service principal id.

The Challenge: While these methods work, they require either manually checking each application in the portal or running the cmdlet for every individual app. This approach can be highly time-consuming when managing multiple enterprise applications.

To address this challenge, we have crafted a PowerShell script where you can export all enterprise applications and their owners in no time. This script not only saves time but also provides additional insights, such as sign-in status, visibility, and role assignments, all in one go.

Download Script: GetEnterpriseAppsReport.ps1

• The script exports all enterprise apps along with its owners in Microsoft Entra.
• Generates report for sign-in enabled applications alone.
• Exports report for sign-in disabled applications only.
• Filters applications that are hidden from all users except assigned users.
• Provides the list of applications that are visible to all users in the organization.
• Lists applications that are accessible to all users in the organization.
• Identifies applications that can be accessed only by assigned users.
• Fetches the list of ownerless applications in Microsoft Entra.
• Assists in filtering home tenant applications only.
• Exports applications from external tenants only.
• The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
• Exports the report result to CSV.
• The script can be executed with an MFA enabled account too.
• It can be executed with certificate-based authentication (CBA) too.
• The script is schedular-friendly.

The script exports enterprise applications and their owners along with the following attributes:

• Enterprise App Name
• App Id
• App Owners
• App Creation Time
• User Sign-in Allowed
• User visibility
• Role Assignment Required
• Service Principal Type
• App Registration Name
• App Origin
• App Org Id

The exported ‘Enterprise applications and their owners’ report looks like the screenshot below.

1. Download the script.
2. Start the Windows PowerShell.
3. Select any of the methods provided to execute the script.

Method 1: You can run the script with MFA and non-MFA accounts

Running this script will export a report on all enterprise applications and their owners in your tenant.

Method 2: You also have the option to run the script using certificate-based authentication, which is schedular-friendly. When you want to run the script unattended, you can choose this method.

To use certificates, you must register the app in Microsoft Entra that helps you connect to MS Graph using certificate.

Note – Depending on your requirements, you can create a self-signed certificate.

The script provides granular enterprise app reports with flexible filtering options, allowing you to analyze various scenarios effectively, such as:

• Get a list of enterprise applications with user sign-in enabled
• Identify enterprise applications disabled for users to sign-in
• Discover hidden enterprise applications in Entra ID
• Obtain enterprise applications that are visible to all users
• View enterprise applications accessible to all users
• Track down enterprise applications limited to specific users
• Export enterprise applications with no owners
• Find all enterprise applications of your home tenant
• Generate ownership details of external tenant enterprise applications
• More granular enterprise app reports

When sign-in is enabled for an enterprise application, users can log in and access the application using access tokens issued by Entra ID for authentication. To view enterprise applications that allow user sign-ins, execute the script with the –SigninEnabledAppsOnly parameter.

The exported report lists all enterprise applications that users can sign in via the My Apps portal, the application’s user access URL, or directly through the application URL.

When admins need to block user access to an application, disabling sign-in prevents any tokens from being issued, ensuring the app is inaccessible to users. Admins can use the –SigninDisabledAppsOnly switch to list enterprise applications with sign-in access disabled.

Executing the script will generate an enterprise app report where sign-in access is restricted to users.

When app visibility is set to ‘No,’ the application will not appear in the ‘My Apps’ portal or Microsoft 365 launcher for any users, except those explicitly assigned to it. To identify those hidden applications, use the -HiddenApps parameter with the script.

This command generates a report of all enterprise applications that admins want to hide from the end users.

To find the enterprise apps visible to all users in the ‘My Apps’ portal and Microsoft 365 launcher, run the script with the –VisibleToAllUsers parameter.

The resulting report provides a detailed list of applications that are visible to all users.

Enterprise apps without defined user assignments are accessible to all users, and other services may retrieve access tokens for these apps. While this simplifies access, it also increases the risk of unauthorized use or data exposure. To identify such applications, run the script with –AccessScopeToAllUsers parameter.

This report helps admins identify potentially overexposed apps, allowing them to refine app permission management effectively.

When enterprise applications have assignments configured, only the specified users can access those apps. Use the –RoleAssignmentRequiredApps parameter to export the applications that are limited only to assigned users in the organization.

This report will help you identify and review any unwanted user assignments for enterprise applications in Entra ID. If necessary, you can easily remove user access to applications within Microsoft Entra ID.

Assigning ownerships for enterprise applications depends on how the application is registered in Entra ID. Ownership for enterprise applications is assigned only when created by non-admin users. Other app registrations often lack ownership, creating governance gaps. To identify ownerless enterprise apps, run the script with the -OwnerlessApps parameter.

To improve application security, admins can use the ownerless enterprise app report and delegate ownerships.

To identify enterprise applications that are configured and managed by your home tenant, simply run the script using the -HomeTenantAppsOnly parameter.

This command generates a comprehensive report listing all the enterprise applications and their assigned owners of your home Microsoft 365 tenant.

Note: Apps registered in Entra rely on client secrets and certificates for authentication. However, client secrets and certificates for all registered applications will expire after a set period. Admins should regularly check for applications with expiring credentials and renew them to avoid disruptions in application usage.

Admins must regularly monitor third-party apps to ensure compliance and remove access to apps that are unnecessary or no longer needed. To generate a report of enterprise applications owned by external tenants in your Microsoft Entra, execute the script with the –ExternalTenantAppsOnly parameter.

The report provides a detailed list of external tenant apps and their owners, offering insights into third-party app usage for better governance and security.

Apart from the above-mentioned use cases, you can combine specific switches to create reports that cater to your exact needs. Here’s a few more precise reports on your enterprise apps.

• Sometimes, users might see an app in the My Apps portal but be unable to sign in. To locate such apps, run the script with -SigninDisabledAppsOnly and –VisibleToAllUsers switches.

• To view apps that are only accessible to assigned users within your home tenant, use the –HomeTenantAppsOnly and -RoleAssignmentRequiredApps parameters together.

• To ensure sensitive data isn’t exposed, audit external tenant apps accessible to all users with the –ExternalTenantAppsOnly and -AccessScopeToAllUsers switches.

I hope this blog has been useful in providing you with the PowerShell script to retrieve all enterprise applications and their owners efficiently. For further queries, reach out to us in the comments section.