Disable how a user signs in for an application

In this article, you disable how a user signs in to an application in Azure Active Directory.

Prerequisites

To disable how a user signs in, you need:

  • An Azure account with an active subscription. Create an account for free.
  • One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Disable how a user signs in

  1. Sign in to the Azure portal as the global administrator for your directory.
  2. Search for and select Azure Active Directory.
  3. Select Enterprise applications.
  4. Search for the application you want to disable a user from signing in, and select the application.
  5. Select Properties.
  6. Select No for Enabled for users to sign-in?.
  7. Select Save.

Use Azure AD PowerShell to disable an unlisted app

Ensure you have installed the AzureAD module (use the command Install-Module -Name AzureAD). In case you are prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.

If you know the AppId of an app that doesn't appear on the Enterprise apps list (for example, because you deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft), you can manually create the service principal for the app and then disable it by using AzureAD PowerShell cmdlet.

# The AppId of the app to be disabled
$appId = "{AppId}"

# Check if a service principal already exists for the app
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if ($servicePrincipal) {
    # Service principal exists already, disable it
    Set-AzureADServicePrincipal -ObjectId $servicePrincipal.ObjectId -AccountEnabled $false
} else {
    # Service principal does not yet exist, create it and disable it at the same time
    $servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
}

Next steps