| title | Recommendation to remove unused apps |
|---|---|
| description | Learn how the Microsoft Entra recommendation to remove unused apps works and why you should follow the guidance. |
| ms.topic | how-to |
| ms.date | 01/07/2026 |
| ms.reviewer | saumadan |
Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
This article covers the recommendation to investigate unused applications. This recommendation is called staleApps in the recommendations API in Microsoft Graph.
Note
With Microsoft Security Copilot, you can use natural language prompts to get insights on unused applications. Learn more about how to Assess application risks using Microsoft Security Copilot.
[!INCLUDE Recommendations roles]
This recommendation shows up if your tenant has applications that haven't been used for over 90 days. The following scenarios are included in this recommendation:
- The app was created but never used.
- The app isn't soft deleted from the application portfolio.
- The app isn't used by the tenant where it resides nor any of its instances (Service Principal) in other tenants.
- It's a client app that calls other resource apps, but hasn't been issued any tokens in the past 90 days.
- It's a resource app that doesn't have a record of any client apps requesting a token in the past 90 days.
The following apps are exempted from this recommendation:
- Apps that are managed by Microsoft, including anything created or modified by Microsoft-owned applications.
- Apps that work with other apps to obtain tokens or are used to enable scenarios that don't require tokens.
- For example, Peer-to-peer server, Application proxy, Microsoft Entra Cloud Sync, linked single-sign-on, password SSO, Office add-ins, and managed identities are excluded from this recommendation.
- Apps that were created within the past 90 days.
Removing unused applications helps reduce the attack surface area and helps clean up the app portfolio of a tenant.
This recommendation is available in the Microsoft Entra admin center and using the Microsoft Graph API. Once you identify the applications that aren't being used, you can decide whether to remove them or keep them based on your organization's needs. The action plan is therefore broken down into two parts:
- Review the applications that are flagged as unused.
- Determine if the application is needed and how to address it.
Applications identified by the recommendation appear in the list of Impacted resources at the bottom of the recommendation.
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Browse to Entra ID > Overview.
- Select the Recommendations tab and select the Remove unused applications recommendation.
- From the Impacted resources table, select More details to view more details.
- Select the Resource link to go directly to the app registration for the app.
- Alternatively, you can browse to Entra ID > App registrations and locate the application that was surfaced as part of this recommendation.
There are many reasons why an app might be unused. Consider the app's usage scenario and business function. For example:
- Was the app deprecated?
- Is the app used for a business function that only happens at certain times of the year?
To remove the application:
- Soft delete the app from your tenant.
- Wait 15 days and then permanently delete the app.
To indicate the application is still needed and skip the recommendation:
- Update the recommendation status to dismissed or postponed.
- Use dismissed if determined that the app will remain inactive for the rest of its lifecycle.
- Use dismissed if you think the app as included in the recommendation in error.
- Use postponed if you need more time to review the app.
The following requests can be used to retrieve the recommendation and the impacted resources using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All and DirectoryRecommendations.ReadWrite.All permissions. For more information, see How to use Identity Recommendations.
- Sign in to Graph Explorer.
- Select GET as the HTTP method from the dropdown.
To retrieve all recommendations for your tenant:
GET https://graph.microsoft.com/beta/directory/recommendationsFrom the response, find the ID of the recommendation that matches the following pattern: {tenantId}_staleApps.
To identify impacted resources:
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_staleAppsTo filter the resources based on their status (for example, active resources):
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_staleApps/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active' Identify the applicationObjectId or appId of the unused app you want to delete.
{
"id": "ccccdddd-2222-eeee-3333-ffff4444aaaa_staleApps",
"recommendationType": "staleApps",
"createdDateTime": "2022-06-16T01:18:55Z",
"impactStartDateTime": "2022-06-16T01:18:55Z",
"postponeUntilDateTime": null,
"lastModifiedDateTime": "2024-07-26T14:17:24Z",
"lastModifiedBy": "System",
"displayName": "Remove unused applications",
"featureAreas": [
"applications"
],
"insights": "Your tenant has some applications that have not been used in the past 90 days.",
"benefits": "Removing unused applications improves the security posture and promotes good application hygiene.",
"category": "identityBestPractice",
"status": "active",
"priority": "medium",
"requiredLicenses": "microsoftEntraWorkloadId",
"impactType": "apps",
"actionSteps": [
{
"stepNumber": 1,
"text": "1. Navigate to the app registration blade and delete the unused application."
},
{
"stepNumber": 2,
"text": "2. We suggest you take appropriate steps to ensure the application is not used in longer intervals of more than 90 days. If so, you should change the frequency of access such that the application’s last used time is within 90 days from its last access date."
}
]
}Consider the app's usage scenario and business function:
- Was the app deprecated?
- Is the app used for a business function that only happens at certain times of the year?
If you can delete the app, run one of the following queries to delete the application:
DELETE /applications/{applicationObjectId}
DELETE /applications(appId='{appId}')Wait 15 days and then follow the Permanently delete an item Microsoft Graph API guidance.