Summary:
When reviewing a risky application, admins must decide whether to temporarily block access to the app or disable the app across all tenants. This post outlines the two ways of blocking user access (deactivation and disabling user sign-in to apps), with step-by-step actions and bulk operations. It explains the differences, how each option impacts application access, and when to use them.
Applications in Microsoft Entra ID are central to day-to-day operations in Microsoft 365. Along with Microsoft-managed apps, tenants rely on custom applications and third-party SaaS apps to support business-specific needs. Managing these applications effectively is essential to protect resources and maintain security.
When such applications become risky or unused, admins often consider deleting them. However, deletion permanently removes the app’s configuration, including permissions, secrets, and integrations. Although app restoration is possible, it is available for only 30 days. After the duration, the app will be permanently deleted and can’t be restored.
In such cases, blocking access to the app is a safer approach, as it prevents usage while preserving all configurations. You can reactivate anytime and you will get back all the existing permissions, certificates, secrets, etc.
Admins can restrict access to application in two ways:
- Deactivating the application – It is used to stop access to the app across all tenants.
- Disabling user sign-in – It restricts app access within a specific tenant, and the app remains accessible to users in other tenants.
In this blog, you will learn the differences of both actions, and how to perform them in Microsoft 365.
What is App Deactivation and Disable User Sign-ins in Entra ID?
Before exploring the concepts, let’s revisit the basics (these two terms will be used frequently in this blog): app registration vs enterprise apps in Entra ID as it is the core difference in blocking user access.
App registrations: This is where applications are registered in Entra ID to work with Microsoft’s identity services. Registering an app creates its identity, and you can define how it can sign in, request permissions, and connect to Microsoft services. Here, all organization-owned applications are managed and securely granted access to tenant data.
Enterprise apps: When an application is added or consented to in a tenant, a service principal is created locally for using the application. Admins can control the app’s sign-ins, permissions, and policies within the tenant. All the apps used and consented to the tenant will be listed in Enterprise apps.
Now, let’s explore deactivation and disable user sign-ins in Entra ID applications.
Deactivate and Entra ID Application
This action is used to stop the app from working in every tenant where it’s been used while preserving all the app configurations intact. It can be taken only on app registrations by admins or app owners.
Disable User Sign-in to an Application in Entra
This action is used to control user access to an app within a specific tenant, whereas other tenant users remain unaffected. It can be taken on all apps listed under enterprise applications in Entra ID.
For example, If the user is blocked to access the app in your tenant, they can access the same app in other tenants.
Hope this gives you a clear idea on the two ways of blocking app access. The detailed differences between app deactivation vs disabling sign-ins are covered in a table at the bottom of the blog for better clarification and easy understanding.
Prerequisites for blocking access to an Entra application:
Before proceeding with the steps, make sure you must have a Cloud app administrator/Application administrator role/owner of service principal.
API permissions:
- Application.ReadWrite.All (delegated or application)
- Application.ReadWrite.OwnedBy (application, for owned apps only)
For deactivating an application, you must have ‘Application.ReadWrite.OwnedBy’ permission along with other permissions. Likewise, for disabling sign-in, you must be the owner of service principal.
Let’s explore how to deactivate, activate, and disable applications in Entra ID with detailed steps.
- How to deactivate applications in Microsoft Entra
- Reactivate applications in Microsoft Entra
- How to disable Enterprise applications in Microsoft 365
- How to enable enterprise application after disabling it
Deactivate an Entra ID Application in Microsoft 365
When an app registered in your tenant and is used by multiple tenants is compromised, deactivating the enterprise app would be ideal. As the compromise affects the app itself, deactivation cuts off access to the app across tenants.
The below happens when you deactivate the application in Entra:
- Block user access globally to prevent further exposure in every tenant.
- No new tokens will be issued across all tenants.
- All the existing configurations, secrets, and permissions are preserved.
- Existing tokens may work until expiry. So, you need to manually revoke sessions after deactivation to block access instantly.
After the app deactivation, you should follow proper steps like rotation secrets and certifications, and revisit permission grants.
For deactivating an Entra ID application, you can use PowerShell or Graph explorer tool.
How to Deactivate an Entra ID Application Using PowerShell
- Firstly, connect to Microsoft Graph using the below cmdlet.
1Connect-MgGraph -Scopes "Application.ReadWrite.All" - Deactivate an application:
Using the ‘Update-MgApplication’ cmdlet, you can deactivate an enterprise application in Entra ID.
1Update-MgApplication –ApplicationId <Objectid> –BodyParameter @{ isDisabled = $true }
Replace the <Objectid> with the real object ID. You can copy paste the Object ID from the App registrations page in Entra Admin Center.
Also, you can use the below cmdlet to get the object ID. It is the original object ID of the application to be used for app deactivation.
12$app = Get-MgApplication -Filter "appId eq '<appId>'"$app.Id
Replace the <appId> with your app client id from the app registration page. Using the client ID, you will get the respective app object id. - Verify application deactivation in Entra ID:
To check whether an application is deactivated in Entra ID, you can use either Entra admin center or PowerShell.
- Navigate to Entra Admin Center –> Entra ID –> App registrations.
- Click on the deactivated app. A warning says “This app is deactivated. You can still manage it but you can’t issue new tokens for it.”
It means the app is successfully blocked everywhere, and new tokens can’t be issued. Still, admins or app owners can manage the application, such as configurations, permissions, and secrets from the app registration page.
Run the below cmdlet to confirm the application is stopped in Entra ID using PowerShell. Please note that for checking app shutdown using PowerShell, you need to use beta module as the property ‘isDisabled’ is not available in the v1.0 version.
|
1 |
Get-MgBetaApplication -ApplicationId <appid> | Select-Object DisplayName,@{N='IsDisabled';E={$_.AdditionalProperties['isDisabled']}} |
How to Deactivate Multiple Applications in Microsoft Entra
During maintenance, deactivating all the applications is essential to block access across all tenants for a certain duration. Once the process is completed, you can again reactivate the application with all existing configurations.
To deactivate Entra ID applications in bulk, run the below code. Before that, you need to create a CSV file with a list of application names and client id that you want to deactivate. Ensure you have the column name as ‘ApplicationName’ and ‘ClientId’ in the CSV file as shown below.
Sample Input:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$results = Import-Csv "<filepath>" | ForEach-Object { $row = $_ $clientId = $row.ClientId.Trim() if ([string]::IsNullOrWhiteSpace($clientId)) { return [PSCustomObject]@{ ApplicationName = $row.ApplicationName Status = "Skipped"} } try { $app = Get-MgApplication -Filter "appId eq '$clientId'" if (-not $app) { throw "Application ID not found" } Update-MgApplication -ApplicationId $app.Id -BodyParameter @{ isDisabled = $true } return [PSCustomObject]@{ ApplicationName = $app.DisplayName Status = "Deactivated" } } catch { return [PSCustomObject]@{ ApplicationName = $row.ApplicationName Status = "Not Found or Error" } } } $results | Export-Csv ".\App_Deactivation_Result.csv" -NoTypeInformation -Encoding UTF8 |
Replace the ‘<filepath> with the exact path of the CSV input file.
Sample Output:
What happens when a user tries to access a deactivated enterprise application?
For user experience, I have used an application registered to use with PnP PowerShell. After deactivating the application, if a user tries to access a site using PnP PowerShell with this app’s client Id, the below error will be shown.
How to Find Deactivated Applications in Microsoft Entra ID?
Reviewing deactivated applications in Microsoft 365 is essential to maintain app lifecycle integrity and will be helpful when you want to reactivate the applications in bulk.
To export the deactivated applications report in Microsoft Entra ID, you must connect to Microsoft Graph and run the below cmdlet.
|
1 |
Get-MgApplication -Filter "isDisabled eq true" | Select-Object DisplayName, AppId | Export-Csv -Path ".\DeactivatedApplications.csv" -NoTypeInformation |
Activate an Enterprise Application in Microsoft 365
If an application is deactivated temporarily, you can activate the app whenever required using the below cmdlet.
|
1 |
Update-MgApplication –ApplicationId <ObjectId> –BodyParameter @{ isDisabled = $false } |
Replace the <ObjectId> with the real object id of the application.
For bulk Entra ID app activation, you can use the same code given for bulk app deactivation and replace the value ‘isDisabled = $false’. Also, you can modify the write-Host text accordingly as shown below.
Disable an Enterprise Application in Microsoft 365
Apps are the key targets for attackers seeking access to organizational details. If admins find any suspicious sign-ins to an application in their tenant, the first step is to disable user sign-ins to app to prevent access to the app within a tenant.
The below will happen when you disable sign-in to an enterprise application:
- Blocks user access within specific tenant while other tenants using the app remain accessible.
- No new tokens will be issued for the specific tenant.
- Existing configurations, permissions, and secrets will be preserved until re-enabling the app.
- Existing sessions may work until token expiry. You need to revoke sessions to block access immediately.
After the investigation, based on the results and the severity, you can choose whether the app should be deactivated . If the app is not registered to your tenant, you can continue disabling sign-in to the app to avoid access within your tenant.
Disabling user sign-in to an enterprise application can be done either via Entra admin center or PowerShell.
How to Disable User Sign-in to Enterprise Applications Using Entra Admin Center
Follow the below steps to disable user access to an enterprise application in Entra ID.
- Navigate to Microsoft Entra admin center –> Entra ID –> Enterprise apps.
- Select the application that you want to disable user sign-ins.
- Choose properties under ‘Manage’. Move the toggle to ‘No’ near ‘Enabled for users to sign-in?’ option.
- Click Save to disable the service principal for the app.
The above option disables all users in your tenant from accessing the app. If you want to restrict specific users from accessing an application, you can remove required users from user and group assignment. This will be helpful in scenarios where specific set of users in your tenant are compromised or under investigations, and you want to prevent them only from accessing applications in Entra ID.
Disable User Sign-in to Enterprise Applications Using PowerShell
To disable an client application in your tenant, you can use the ‘Update-MgServicePrincipal’ PowerShell cmdlet as shown below.
|
1 |
Update-MgServicePrincipal -ServicePrincipalId "<objectid>" -AccountEnabled:$false |
Replace the ‘<objectid>’ with the Object ID available on the app overview page under ‘Enterprise applications’.
How to Disable User Sign-ins for Multiple Enterprise Applications
If your organization is undergoing maintenance or migration, admins can temporarily disable user sign-ins to multiple applications to prevent access during the process.
If you want to disable user sign-ins for multiple applications, you can use the below code. Also, the same CSV input file used for deactivation can also be used here as both uses client id of the application which is same for app registrations and enterprise apps.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$results = Import-Csv "<filepath>" | ForEach-Object { $row = $_ $clientId = $row.ClientId.Trim() if ([string]::IsNullOrWhiteSpace($clientId)) { return [PSCustomObject]@{ ApplicationName = $row.ApplicationName Status = "Skipped" } } try { $sp = Get-MgServicePrincipal -Filter "appId eq '$clientId'" if (-not $sp) { throw "Service Principal not found" } Update-MgServicePrincipal ` -ServicePrincipalId $sp.Id ` -AccountEnabled:$false return [PSCustomObject]@{ ApplicationName = $sp.DisplayName Status = "Sign-in Disabled" } } catch { return [PSCustomObject]@{ ApplicationName = $row.ApplicationName Status = "Not Found or Error" } } } $results | Export-Csv ".\Signin_Disable_Result.csv" -NoTypeInformation -Encoding UTF8 |
Replace the ‘<filepath> with the exact path of the CSV input file.
Sample Output:
Export Disabled Application Report in Entra ID
To export a report on sign-in disabled applications in Entra ID, run the below cmdlet after connecting to Microsoft Graph. This report will list all the applications with user sign-in disabled in your tenant.
|
1 |
Get-MgServicePrincipal -Filter "accountEnabled eq false" -All | Select-Object DisplayName, AppId | Export-Csv ".\EnterpriseApps_SignInDisabled.csv" -NoTypeInformation |
How to Enable Enterprise Application After Disabling It?
If your organization is under migration, you might disable user sign-in to specific apps or all enterprise apps. Once the migration is over, they need to re-enable user access to applications for better integrations. Admins can re-enable user sign-in by using either Entra admin center or PowerShell.
For enabling user sign-in to an Entra ID application, go to Entra admin center –> Entra ID –> Enterprise apps. Click on the app you want to re-enable sign-in and move the “Enabled for users to sign-in” toggle to ‘Yes’ as shown below.
If you want to enable user sign-ins to Entra ID applications using PowerShell, just replace ‘$false’ with ‘$true’ in the ‘AccountEnabled’ parameter as shown below.
|
1 |
Update-MgServicePrincipal -ServicePrincipalId "<objectid>" -AccountEnabled:$true |
You can also enable user sign-ins for multiple applications by using the same bulk disable code by modifying status and the parameter ‘AccountEnabled:$true’. You will get the output as shown below.
Difference Between Deactivate Entra ID Application and Disabling Sign-in
In general, deactivating or disabling sign-in to the apps that integrate with Entra ID both seems to give the same outcome “preventing users from accessing an application”. But the differences rely on the impacts created by them. Refer the below table to find the difference between them precisely.
| Differences | App Deactivation | Disabling User Sign-in to Applications |
| Scope | Applies to the application globally (across all tenants) | Applies to the app only within the specific tenant. |
| Where is the action applied? | App registrations |
Enterprise applications (service principal ) |
| Primary Purpose | Stops the application everywhere – Blocks access in every tenant. | Temporarily block access to the app in a specific tenant. |
| User Access | Users can’t access the application anywhere. | Users can’t access the app only within the disabled tenant. |
| Existing Sessions | Existing sessions will work for a short period until the token expires. It does not revoke the existing sessions, so you need to do it manually. No new tokens can be issued. |
Users can be able to access for a short period using existing tokens until it expires. It does not revoke the existing sessions, so you need to do it manually. No new tokens will be issued. |
| App Owner Accessibility | App owners can’t access the app but can manage secrets, certificates, and permissions using app registrations. | App owners can’t access the app within the tenant, but it remains accessible in other tenants. Also, they can manage the secrets and permissions using app registrations. |
| What can be retained? | Previous secrets, configurations, and permissions are retained. | Previous secrets, configurations, and permissions are retained. |
| When to choose the action? | When a multi-tenant app is compromised with a high-level risk factor, deactivating the app is essential to stop the app everywhere immediately.
|
If any unapproved app has been used in your tenant, disabling sign-in to the application is required until the completion of investigation and app removal. |
I hope this blog helped you to understand the difference between deactivation vs disabling user’s sign-in to Entra ID applications and how to do it in Microsoft 365. For queries, contact us through the comment section!
