Disable user sign-in for an application
There might be situations while configuring or managing an application where you don't want tokens to be issued for an application. Or, you might want to block an application that you don't want your employees to try to access. To block user access to an application, you can disable user sign-in for the application, which prevents all tokens from being issued for that application.
In this article, you learn how to prevent users from signing in to an application in Microsoft Entra ID through both the Microsoft Entra admin center and PowerShell. If you're looking for how to block specific users from accessing an application, use user assignment.
Prerequisites
To disable user sign-in, you need:
- A Microsoft Entra user account. If you don't already have one, you can Create an account.
- One of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal.
Disable user sign-in using the Microsoft Entra admin center
Tip
Steps in this article might vary slightly based on the portal you start from.
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications > All applications.
- Search for the application you want to disable a user from signing in, and select the application.
- Select Properties.
- Select No for Enabled for users to sign-in?.
- Select Save.
Disable user sign-in using Azure AD PowerShell
You might know the AppId of an app that doesn't appear on the Enterprise apps list. For example, if you delete the app or the service principal isn't yet created because Microsoft preauthorizes it. You can manually create the service principal for the app and then disable it by using the following Azure AD PowerShell cmdlet.
Ensure you've installed the Azure AD PowerShell module (use the command Install-Module -Name AzureAD
). In case you're prompted to install a NuGet module or the new Azure AD PowerShell V2 module, type Y and press ENTER. You need to sign in as at least a Cloud Application Administrator.
# Connect to Azure AD PowerShell
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud -Scopes
# The AppId of the app to be disabled
$appId = "{AppId}"
# Check if a service principal already exists for the app
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if ($servicePrincipal) {
# Service principal exists already, disable it
Set-AzureADServicePrincipal -ObjectId $servicePrincipal.ObjectId -AccountEnabled $false
} else {
# Service principal does not yet exist, create it and disable it at the same time
$servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
}
Disable user sign-in using Microsoft Graph PowerShell
You might know the AppId of an app that doesn't appear on the Enterprise apps list. For example, if you delete the app or the service principal isn't yet created due to the app because Microsoft preauthorizes it. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
Ensure you install the Microsoft Graph module (use the command Install-Module Microsoft.Graph
). You need to sign in as at least a Cloud Application Administrator.
# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Application.ReadWrite.All"
# The AppId of the app to be disabled
$appId = "{AppId}"
# Check if a service principal already exists for the app
$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"
# If Service principal exists already, disable it , else, create it and disable it at the same time
if ($servicePrincipal) { Update-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id -AccountEnabled:$false }
else { $servicePrincipal = New-MgServicePrincipal -AppId $appId -AccountEnabled:$false }