KQL Search

Query Details

HomeAI ToolsDevice Query

Entra ID Enterprise Apps Deleted

Query

# Entra ID - Enterprise Applications - Deletions

## Query Information

### Description

Use the below query to identify deleted Enterprise Applications in Entra ID

When you delete and enterprise application, it remains in a suspended state in the recycle bin for 30 days. During the 30 days, you can Restore the application.

#### References

- [Delete an enterprise application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/delete-application-portal?pivots=portal)

### Microsoft Sentinel

```kql
AuditLogs
| where OperationName == "Remove service principal"
| extend Application = tostring(TargetResources[0].displayName)
| extend InitiatedByData = parse_json(tostring(InitiatedBy))
| extend 
    InitiatorType = iff(isnotempty(InitiatedByData.user), "User", "App"),
    DisplayName = iff(isnotempty(InitiatedByData.user), InitiatedByData.user.displayName, InitiatedByData.app.displayName),
    Id = iff(isnotempty(InitiatedByData.user), InitiatedByData.user.id, InitiatedByData.app.servicePrincipalId),
    UserPrincipalName = InitiatedByData.user.userPrincipalName,
    IPAddress = InitiatedByData.user.ipAddress
| project TimeGenerated, Application, InitiatorType, DisplayName, Id, UserPrincipalName, IPAddress
```

Explanation

This query is designed to identify deleted Enterprise Applications in Entra ID (formerly Azure Active Directory). When an enterprise application is deleted, it enters a suspended state in the recycle bin for 30 days, during which it can be restored.

Here's a breakdown of what the query does:

  1. Data Source: It uses the AuditLogs table, which contains logs of various operations in Entra ID.

  2. Filter: The query filters the logs to find entries where the operation name is "Remove service principal". This indicates that a service principal (which represents an enterprise application) has been deleted.

  3. Extract Information:

    • It extracts the display name of the deleted application.
    • It parses the InitiatedBy field to determine who or what initiated the deletion. This could be a user or an application.
    • It identifies whether the initiator is a user or an application and extracts relevant details such as display name, ID, user principal name, and IP address.

  4. Output: The query projects (selects) specific columns to display: the time the log was generated, the application name, the type of initiator (user or app), the display name of the initiator, their ID, user principal name, and IP address.

This query is useful for auditing and monitoring purposes, allowing administrators to track who deleted enterprise applications and when.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 15, 2025

Tables

AuditLogs

Keywords

AuditLogsOperationNameApplicationInitiatedByDataInitiatorTypeDisplayNameIdUserPrincipalNameIPAddressTimeGenerated

Operators

whereextendtostringparse_jsoniffisnotemptyproject

Actions