Updating Entra ID Applications for On-premises Services: A Real-World Tested Approach

Entra ID’s current application model is Microsoft’s solution for the age-old problem of admins abusing user accounts as service accounts. Yes, that model in Active Directory is inherently flawed, and we would be better served by just leaving it behind on-premises. But that won’t solve the problem, because Entra ID applications are inherently flawed as well.   

This article explores how our views on lifecycle management for Entra applications can keep the apps unnecessarily, and dangerously, static in their configurations. I’ll also show you how to fix it using an approach I have successfully tested with several organizations over the past few months. 

Vendors evolve - so do their apps. 

Since Entra applications are the new frontier for non-human interaction with Entra, and vendors are still learning how to properly wield the platform, they will inevitably update their solutions for better use of platform features and/or to reduce privileges. Microsoft’s constant product name changes also play a factor in prompting branding changes. 

... Why then, am I still seeing so many third-party applications with names containing ‘Azure AD,’ more than two years after Microsoft renamed the platform to ‘Entra ID’?! 🤔 

It’s all about application registration. 

Entra ID applications for on-premises services remain relatively static because of the way developers think about backward compatibility, how security people think about logging, and how admins look at upgrades. In reality, and in several situations, it’s also about how the platform itself copes with changes made to the apps. 

Whether the third-party app is a single-tenant application or a multi-tenant application, it all comes down to the application registration object in Entra ID: 

• For single-tenant applications, code from a vendor creates the application registration object and then creates a corresponding enterprise application object. 

• For multi-tenant applications, the application registration object in the vendor’s Entra tenant acts as a blueprint to create the enterprise application object in the customer Entra tenant. 

• For workload identities, code from a vendor creates the application registration object. 
  

Each stakeholder has a distinct perspective on application lifecycle management. 

What it comes down to is the fact that all stakeholders involved in the application lifecycle within your organization will have different views, needs, and requirements. For example: 

• From a vendor perspective, we typically do not want to touch the customers’ systems and processes unless we really want to. Is adopting lesser administrative privilege or rebranding really worth the risk of inappropriately touching – and potentially wrecking – the customers' cloud identity platform? 

• From a developer perspective, we want to adopt best practices, but we can’t be sure every customer has the same mindset. We also can’t be sure that customers run the latest version, upgrade to the latest version, or even stay on the latest version. The upgrade process that we just initiated might break a previous version of our on-premises code, and a customer might roll back to it or restore it.  

• From an admin perspective, we typically don’t fix what isn’t broken. When we upgrade the on-premises component for a service, we typically skip recreating the Entra application objects.  

• From a security team’s perspective, we want the organization to embrace all the zero trust principles, but don’t typically want to delete stuff permanently. Logs become riddled with orphaned identifiers. In the process, traceability and accountability are reduced to levels where they can no longer be guaranteed. 

More stakeholders may be identified in large and complex organizations. These stakeholders may have more complex and/or granular needs and requirements. But at its core, the above opposite stakes would still be recognizable. 

Something’s Gotta Give 

Out of these perspectives, security is the perspective with oppositional stakes. Security would remediate one finding on their red team reports (if a red team would look into Entra ID applications), but then be faced with an operational challenge if and when an admin removes an enterprise application and/or application registration: They will no longer be able to continually secure and correlate the applicationID in the log after upgrades, if application objects are just deleted and recreated. 

Luckily, we can solve this problem with a simple solution: communication.  

During this process, Entra admins would be able to educate security operations teams on the subtle art form that is managing Entra ID application lifecycles. 

How to update Entra ID applications for on-premises services 

This process consists of three steps: 

1. Revoking API permissions and roles 
2. Deleting the application artifacts 
3. Recreating the application artifacts 

From my experience, performing these steps for every major version of the on-premises service strikes the perfect balance between admin effort and lifecycle benefits. 

However, you should not perform these actions for applications that are published through Entra App Proxy or Entra Private Access, or for Entra Connect Sync’s application-based authentication. These have their own lifecycle management processes that allow for their specific rollback scenarios. 

Ensure that for steps 1 and 2, and for step 3, you note the applicationIDs for the Entra ID application artifacts, so that your security team can continue to secure and correlate sign-in and audit logs. 

Revoking API permissions and roles 

*Note that this step is optional.  

When using this optional step, in a rollback scenario, the application object cannot be reverted. 

Since Entra ID application artifacts are soft deleted when you delete them, that action can be reversed by an adversary using a compromised administrator or application owner account. As a precaution, we revoke the API permissions and roles assigned to the following: 

• The Enterprise application (if the app is a multi-tenant app). 

• The Application registration (if the app is a single-tenant app). 

• The Application registration (if the app is a workload identity). 

Roles can be revoked from the Entra admin center, but this doesn’t represent a valid roll-back scenario. As API permissions cannot be revoked in the Entra admin center, we can turn to: 

• The Entra PowerShell module for the Remove-EntraOauth2PermissionGrant cmdlet and target it per grant ID, assigned to the Entra ID application.  

• The Microsoft Graph PowerShell SDK for the Remove-MgOauth2PermissionGrant cmdlet and target it per grant ID, assigned to the Entra ID application. 

• Direct Microsoft Graph API v1.0 calls to DELETE the specific OAuth2PermissionGrants per grant ID, assigned to the Entra ID application.  

As Entra is a distributed global service, make sure to allow sufficient time for its systems and services to replicate the changes to all endpoints. Typically, about 15 minutes should suffice. 

Deleting the application artifacts 

In the Entra admin center, we can delete the application objects. For single-tenant applications, when you delete either the application registration or the enterprise application, the other object is also deleted. 

Any deleted application registrations are shown on the Deleted applications tab when viewing applications in the Entra admin center. When you restore an application registration, it restores any Enterprise application associated with it.  

As Entra is a distributed global service, make sure to allow sufficient time for its systems and services to replicate the changes to all endpoints. Typically, about 15 minutes should suffice. 

Recreating the application artifacts 

Using the upgrade interface for the on-premises service, you’ll recreate the Entra ID application objects as if they never existed. 

 If the upgrade is successful, the security team will be able to secure and correlate sign-ins, as well as audit events and/or provisioning logs between the old and new application objects, based on the  applicationIDs. 

But if the upgrade is unsuccessful, you’ll need to delete the newly created application artifacts from Entra ID, restore the on-premises service to a previous state, and restore the soft-deleted application artifacts. 

Concluding 

Microsoft’s Entra application model is advancing rapidly toward a Zero Trust architecture. However, achieving true Zero Trust requires collaboration between vendors, administrators, developers, and security professionals to manage the full lifecycle of Entra ID applications. Only through coordinated governance can organizations truly enforce the principle of least privilege. 

The approach outlined in this post helps bridge the gap between these stakeholders, enabling your organization to make meaningful progress toward Zero Trust. 

Gaining visibility into your current Entra ID application landscape is the first step. The ENow App Governance Accelerator solution delivers the insights, guidance, and automated remediation needed to strengthen your application security posture while easing the workload for identity administrators.