Merge pull request #228290 from omondiatieno/disable-sign-in

ttorble · web-flow · commit 1f6cf280db6f · 2023-02-24T11:35:52.000Z
Disable user sign in using PowerShell and Graph API
diff --git a/articles/active-directory/manage-apps/disable-user-sign-in-portal.md b/articles/active-directory/manage-apps/disable-user-sign-in-portal.md
@@ -8,11 +8,13 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/06/2022
+ms.date: 2/23/2023
 ms.author: jomondi
 ms.reviewer: ergreenl
 ms.custom: it-pro
 ms.collection: M365-identity-device-management
+zone_pivot_groups: enterprise-apps-all
+
 #customer intent: As an admin, I want to disable user sign-in for an application so that no user can sign in to it in Azure Active Directory.
 ---
 # Disable user sign-in for an application
@@ -28,10 +30,12 @@ In this article, you'll learn how to prevent users from signing in to an applica
 To disable user sign-in, you need:
 
 - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- One of the following roles: An administrator, or owner of the service principal.
 
 ## Disable how a user signs in
 
+:::zone pivot="portal"
+
 1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator for your directory.
 1. Search for and select **Azure Active Directory**.
 1. Select **Enterprise applications**.
@@ -40,13 +44,18 @@ To disable user sign-in, you need:
 1. Select **No** for **Enabled for users to sign-in?**.
 1. Select **Save**.
 
-## Use Azure AD PowerShell to disable an unlisted app
+:::zone-end
 
-Ensure you've installed the AzureAD module (use the command Install-Module -Name AzureAD). In case you're prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.
+:::zone pivot="aad-powershell"
 
-You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft), you can manually create the service principal for the app and then disable it by using the following cmdlet.
+You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using the following Azure AD PowerShell cmdlet.
+
+Ensure you've installed the AzureAD module (use the command `Install-Module -Name AzureAD`). In case you're prompted to install a NuGet module or the new Azure AD V2 PowerShell module, type Y and press ENTER.
 
 ```PowerShell
+# Connect to Azure AD PowerShell
+Connect-AzureAD -Scopes "Application.ReadWrite.All"
+
 # The AppId of the app to be disabled
 $appId = "{AppId}"
 
@@ -60,6 +69,55 @@ if ($servicePrincipal) {
     $servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
 }
 ```
+:::zone-end
+
+:::zone pivot="ms-powershell"
+
+You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
+
+Ensure you've installed the Microsoft Graph module (use the command `Install-Module Microsoft.Graph`).
+
+```powershell
+# Connect to Microsoft Graph PowerShell
+Connect-MgGraph -Scopes "Application.ReadWrite.All"
+
+# The AppId of the app to be disabled  
+$appId = "{AppId}"  
+
+# Check if a service principal already exists for the app 
+$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"  
+
+# If Service principal exists already, disable it , else, create it and disable it at the same time 
+if ($servicePrincipal) { Update-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id -AccountEnabled:$false }  
+
+else {  $servicePrincipal = New-MgServicePrincipal -AppId $appId –AccountEnabled:$false } 
+```
+
+:::zone-end
+
+:::zone pivot="ms-graph"
+
+You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using Microsoft Graph explorer.
+
+To disable sign-in to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.
+
+You'll need to consent to the `Application.ReadWrite.All` permission.
+
+Run the following query to disable user sign-in to an application.
+
+```http
+PATCH https://graph.microsoft.com/v1.0/servicePrincipals/2a8f9e7a-af01-413a-9592-c32ec0e5c1a7
+
+Content-type: application/json
+
+{
+    "accountEnabled": false
+}
+```
+
+:::zone-end
+
+
 
 ## Next steps
 
