Microsoft Entra recommendation: Remove unused credentials from apps (preview)
Article
Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
This article covers the recommendation to remove unused credentials from apps. This recommendation is called StaleAppCreds in the recommendations API in Microsoft Graph.
Prerequisites
There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed. For a full list of roles, see Least privileged roles by task.
Application credentials can include certificates and other types of secrets that need to be registered with that application. These credentials are used to prove the identity of the application. Only credentials actively in use by an application should remain registered with the application.
A credential is considered unused if:
It has not been used in the past 30 days.
It's a credential that was added to an application to be used for OAuth/OIDC flows or to the service principal for SAML flow.
The following credentials are exempted from the recommendation:
Expired credentials do not show in the Impacted resources list.
Credentials that were identified as unused but have expired since being flagged show as Completed in the Impacted resources list.
Value
Removing unused application credentials helps reduce the attack surface area and helps declutter the app portfolio of a tenant.
Action plan
This recommendation is available in the Microsoft Entra admin center and using the Microsoft Graph API.
Select the Recommendations tab and select the Remove unused credentials from applications recommendation.
Take note of the following details from the Impacted resources table.
The Resource column displays the application name
The ID column displays the application ID
Select More Details from the Actions column to view more details.
Note
If the origin of the credential is Service Principal, follow the guidance in the Service principals section.
From the panel that opens, select Update Credential to navigate directly to the Certificates & secrets area of the app registration to remove the unused credential.
Alternatively, browse to Identity > Applications > App registrations and select the application that was surfaced as part of this recommendation.
Then navigate to the Certificates & Secrets section of the app registration.
Locate the unused credential and remove it.
The following requests can be used to retrieve the recommendation and the impacted resources using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All and DirectoryRecommendations.ReadWrite.All permissions. For more information, see How to use Identity Recommendations.
GET https://graph.microsoft.com/beta/directory/recommendations
From the response, find the ID of the recommendation that matches the following pattern: {tenantId}_Microsoft.Identity.IAM.Insights.StaleAppCreds.
To identify impacted resources:
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.StaleAppCreds
To filter the resources based on their status (for example, active resources):
GET https://graph.microsoft.com/eta/directory/recommendations/536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.StaleAppCreds/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active'
Take note of the AppId, CredentialId, and origin of the credential you want to remove.
Use these Microsoft Graph APIs to add a new password or key credential:
{
"id": "536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.StaleAppCreds",
"recommendationType": "staleAppCreds",
"createdDateTime": "2022-09-07T21:25:36Z",
"impactStartDateTime": "2022-09-07T21:25:36Z",
"postponeUntilDateTime": null,
"lastModifiedDateTime": "2024-07-22T15:23:29Z",
"lastModifiedBy": "System",
"displayName": "Remove unused credentials from applications",
"featureAreas": [
"applications"
],
"insights": "Your tenant has applications with credentials which have not been used in more than 30 days.",
"benefits": "An application credential is used to get a token that grants access to a resource or another service.",
"category": "identityBestPractice",
"status": "active",
"priority": "medium",
"releaseType": "preview",
"requiredLicenses": "microsoftEntraWorkloadId",
"impactType": "apps",
"actionSteps": [
{
"stepNumber": 1,
"text": "1. For application resources, navigate to the app registration section in your tenant."
},
{
"stepNumber": 2,
"text": "2. In the ‘Certificate and Secrets’ blade, find the credential and remove it."
},
{
"stepNumber": 3,
"text": "3. To remove a credential from a service principal resource, use the MS Graph Service Principal API service action ",
"actionUrl": {
"displayName": "`removePassword`",
"url": "https://docs.microsoft.com/graph/api/serviceprincipal-removepassword?view=graph-rest-1.0&tabs=http"
}
}
]
}
Service principals
If the origin of the credential is service principal, there are a few considerations and extra steps to follow.
Because there's often multiple service principals for a single application, it may be easier to navigate to Enterprise apps to view everything in one place.
Search for and open the application that was surfaced as part of this recommendation.
Select Single sign-on from the side menu.
If the credential is a service principal but there are SAML certificates in use, you can identify the details of the credential using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All and DirectoryRecommendations.ReadWrite.All permissions. For more information, see How to use Identity Recommendations.
This module focuses on effectively managing identities and enhancing security in Microsoft Enterprise Identity, ensuring that users, groups, and external identities are protected against security threats and unauthorized access.
