Forum Discussion
How to check if a Microsoft Enterprise app is in use based on the last 90 days of usage data.
Hello Team,
Our organization has deployed over 1,000 enterprise applications, but we are uncertain about how many are actively in use. We plan to disable and delete the applications that have not been utilized in the last 90 days. Since Entra retains logs for only 30 days, we are sending these activity logs to Log Analytics for extended retention. We are now using KQL queries to assess the utilization of these enterprise applications based on various authentication mechanisms, including user interactive sign-ins, non-interactive sign-ins, service principal sign-ins, and managed identity sign-ins. Microsoft has provided a dashboard which is currently in preview state.
Would like to understand if there is any other way to analyze the utilization of these enterprise applications. Looking forward for your valuable suggestions.
Thanks in Advance.
Sunil Kumar Cherukuri
3 Replies
You can use the servicePrincipalSignInActivities report: https://learn.microsoft.com/en-us/graph/api/reportroot-list-serviceprincipalsigninactivities?view=graph-rest-beta&tabs=http
It gives you data on when the given SP was last used, which goes well beyond the 30 days you get from logs.
Thanks for your reply VasilMichev
I am running KQL queries to obtain usage details of enterprise applications for the last 90 days based on the mentioned sign-in activities. Besides sign-in activities, I would like to know if there are other mechanisms, such as API permissions, used by the service principal.
Hello VasilMichev
Thanks for your reply on the discussion.
I am running KQL queries to obtain usage details of enterprise applications for the last 90 days based on the mentioned sign-in activities. Besides sign-in activities, I would like to know if there are other mechanisms, such as API permissions, used by the service principal.
