EntraAnalyzer
Medium

Disabled service principal retains grants

Detects service principals disabled while still holding OAuth2 permission grants.

Category
Applications
Default severity
Medium
Rule key
CHECK_DISABLED_SP_WITH_GRANTS
Last updated

How to fix it

Revoke OAuth2 grants when disabling service principals to prevent instant access restoration.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

  • Directory.Read.All
  • Application.Read.All

Further reading

Search Microsoft Learn for related guidance →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →