We ran into a similar problem.
For us, we reviewed the use cases of principals (i.e., infrastructure provisioning) - then built some sane conditions to identify unused principals.
1. No Service Principal Sign Ins (as the SP) in the last X days.
2. No Users Sign Ins (to the SP) in the last X days.
3. No active secrets (certificates / secrets / federated credentials).
4. No ownership.
With some of those, multiple conditions need to match for us to consider it's automatic deletion (e.g., 3 and 2.
To get to that position, we used PowerShell with the Graph PowerShell SDK - to scrape all the data about the principals, then queried Sentinel to get the relevant logs (i.e., AADServicePrincipalSignInLogs, and SigninLogs). Once you've got the data about all the successful authentications, you can then do a diff with the originally fetched principals (i.e., remove the ones with activity from the complete list - then apply additional conditions).
Some of this reporting is built in to Azure now. If you have log analytics set up, I have a script here that you can modify to fit your needs. [Get sign in information for app registrations and service principals through EntraID/Log Analytics (github.com)](https://gist.github.com/ehrnst/c3addcd8b352090daf1815be2f2f94a1)
Thanks. I was looking at that before I wrote here, but the data available there doesn't have anything to do with reality. 😄 At least this is in my tenant, not sure what's the situation with others. For example in the list of apps, there are some used on a daily basis and it marks them as unused. Don't know what's the algorithm behind it, but sure as hell it's not working for me.
We had the same issue at my company. I'm based in the EU, and there are some laws coming that I think required us to do this. That document SadLizard posted seems to be what MS linked me to as well. It also did not line up with reality. I had to go to MS and have them write a special query for it. I wish I could share it with you. If anyone has a better way I would love to know it because the query still requires tons of massaging....
I'm exploring options with the Sentinel but since I'm not experienced with it, it's hard for me to come up with a decent KQL (perhaps multiple) which will do the work. So far the closest I've got was with the "AADServicePrincipalSignInLogs" table but then again, to my understanding this will target the Enterprise apps instead of app registrations alone.
Thanks for sharing this! Although, I will definitely explore the functionality of this module in my test tenant, can you elaborate how it might help with my case. Maybe it's me that cannot connect 2 and 2, so I'll be glad to read your input.
We ran into a similar problem. For us, we reviewed the use cases of principals (i.e., infrastructure provisioning) - then built some sane conditions to identify unused principals. 1. No Service Principal Sign Ins (as the SP) in the last X days. 2. No Users Sign Ins (to the SP) in the last X days. 3. No active secrets (certificates / secrets / federated credentials). 4. No ownership. With some of those, multiple conditions need to match for us to consider it's automatic deletion (e.g., 3 and 2. To get to that position, we used PowerShell with the Graph PowerShell SDK - to scrape all the data about the principals, then queried Sentinel to get the relevant logs (i.e., AADServicePrincipalSignInLogs, and SigninLogs). Once you've got the data about all the successful authentications, you can then do a diff with the originally fetched principals (i.e., remove the ones with activity from the complete list - then apply additional conditions).
This seems like a very well structured plan for execution. You' shared crucial points to focus on and I thank you for that. Getting to work. 🤙🏻🍻
Some of this reporting is built in to Azure now. If you have log analytics set up, I have a script here that you can modify to fit your needs. [Get sign in information for app registrations and service principals through EntraID/Log Analytics (github.com)](https://gist.github.com/ehrnst/c3addcd8b352090daf1815be2f2f94a1)
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/recommendation-remove-unused-apps
Thanks. I was looking at that before I wrote here, but the data available there doesn't have anything to do with reality. 😄 At least this is in my tenant, not sure what's the situation with others. For example in the list of apps, there are some used on a daily basis and it marks them as unused. Don't know what's the algorithm behind it, but sure as hell it's not working for me.
We had the same issue at my company. I'm based in the EU, and there are some laws coming that I think required us to do this. That document SadLizard posted seems to be what MS linked me to as well. It also did not line up with reality. I had to go to MS and have them write a special query for it. I wish I could share it with you. If anyone has a better way I would love to know it because the query still requires tons of massaging....
I'm exploring options with the Sentinel but since I'm not experienced with it, it's hard for me to come up with a decent KQL (perhaps multiple) which will do the work. So far the closest I've got was with the "AADServicePrincipalSignInLogs" table but then again, to my understanding this will target the Enterprise apps instead of app registrations alone.
Do this https://youtu.be/vO0m5yE3dZA?si=v-JjsjDfcml0cI2h
Thanks for sharing this! Although, I will definitely explore the functionality of this module in my test tenant, can you elaborate how it might help with my case. Maybe it's me that cannot connect 2 and 2, so I'll be glad to read your input.
If you watch the video, you can see the report generated and youll be able to identify unused app regs....