Remove an Enterprise Application and its Service Principals from Entra ID

When you decommission a SaaS vendor, revoke a third-party integration, or respond to a security incident involving a rogue OAuth app, you need to remove its footprint from Entra ID. A single vendor often leaves behind multiple artifacts:

• One or more App Registrations (the application object) in your tenant
• One or more Enterprise Applications (service principals) — including the home-tenant service principal and any consented multi-tenant service principals pointing to the vendor's app
• Variant naming (SaaS Alerts, SaaS Alerts Respond, SAAS_ALERTS_RESPOND) from different product lines or historical consents

Deleting only the Enterprise Application you see in the portal often leaves orphaned registrations or other related service principals behind, which can continue to hold permissions or reappear on next sign-in. This recipe shows the complete find-and-remove workflow.

After completing this recipe you will have:

• A full inventory of every application and service principal matching the vendor's name prefix
• All selected service principals deleted from Entra ID (revoking their tokens and permissions)
• All related App Registrations deleted (preventing re-instantiation)
• Graph API audit entries for each deletion, suitable for compliance evidence

⚠️ Before you delete

• Deletion is soft for 30 days. App registrations and service principals move to the deleted items container and can be restored via /directory/deletedItems. After 30 days deletion is permanent.
• Active dependencies break immediately. If any workflow, Conditional Access policy, app role assignment, or automation authenticates as or to this app, it will fail the moment the service principal is deleted.
• Check for secrets and certificates on the App Registration before deletion — if the app holds keys used elsewhere, revoke them at the consuming system first.
• Filter carefully. The Graph $filter operator does not support contains() on displayName. Use startswith() or fetch and filter client-side. A too-broad startswith() (e.g. startswith(displayName,'S')) can return hundreds of unrelated apps.
• Microsoft-owned first-party service principals (e.g. Microsoft Graph, Office 365 SharePoint Online) cannot and should not be deleted, even if they match your filter.
• Delete order matters only loosely: deleting the App Registration automatically cascades to its home-tenant service principal, but multi-tenant service principals in your directory must be deleted separately.