Disable user sign in using PowerShell and Graph API

omondiatieno · omondiatieno · commit 807033959ab9 · 2023-02-23T10:21:58.000+03:00
diff --git a/articles/active-directory/manage-apps/disable-user-sign-in-portal.md b/articles/active-directory/manage-apps/disable-user-sign-in-portal.md
@@ -8,11 +8,13 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/06/2022
+ms.date: 2/23/2023
 ms.author: jomondi
 ms.reviewer: ergreenl
 ms.custom: it-pro
 ms.collection: M365-identity-device-management
+zone_pivot_groups: enterprise-apps-all
+
 #customer intent: As an admin, I want to disable user sign-in for an application so that no user can sign in to it in Azure Active Directory.
 ---
 # Disable user sign-in for an application
@@ -28,10 +30,12 @@ In this article, you'll learn how to prevent users from signing in to an applica
 To disable user sign-in, you need:
 
 - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- One of the following roles: An administrator, or owner of the service principal.
 
 ## Disable how a user signs in
 
+:::zone pivot="portal"
+
 1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator for your directory.
 1. Search for and select **Azure Active Directory**.
 1. Select **Enterprise applications**.
@@ -40,11 +44,15 @@ To disable user sign-in, you need:
 1. Select **No** for **Enabled for users to sign-in?**.
 1. Select **Save**.
 
-## Use Azure AD PowerShell to disable an unlisted app
+:::zone-end
+
+:::zone pivot="aad-powershell"
 
-Ensure you've installed the AzureAD module (use the command Install-Module -Name AzureAD). In case you're prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.
+Use the following Azure AD PowerShell script to disable an unlisted app.
 
-You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft), you can manually create the service principal for the app and then disable it by using the following cmdlet.
+Ensure you've installed the AzureAD module (use the command `Install-Module -Name AzureAD`). In case you're prompted to install a NuGet module or the new Azure AD V2 PowerShell module, type Y and press ENTER.
+
+You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using the following cmdlet.
 
 ```PowerShell
 # The AppId of the app to be disabled
@@ -60,6 +68,41 @@ if ($servicePrincipal) {
     $servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
 }
 ```
+:::zone-end
+
+:::zone pivot="ms-powershell"
+
+Use the following Microsoft Graph PowerShell script to disable an unlisted app.
+
+Ensure you've installed the Microsoft Graph module (use the command `Install-Module Microsoft.Graph`).
+
+You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using the following cmdlet.
+
+:::zone-end
+
+:::zone pivot="ms-graph"
+
+You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using Microsoft Graph explorer.
+
+To disable sign-in to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.
+
+You'll need to consent to the `Application.ReadWrite.All` permission.
+
+Run the following query to disable user sign-in to an application.
+
+```http
+PATCH https://graph.microsoft.com/v1.0/servicePrincipals/2a8f9e7a-af01-413a-9592-c32ec0e5c1a7
+
+Content-type: application/json
+
+{
+    "accountEnabled": false
+}
+```
+
+:::zone-end
+
+
 
 ## Next steps
 
