Microsoft Entra ID

How to Find Microsoft Entra Applications without API Permissions

Are you seeing too many app registrations in your Entra ID and unsure which ones still matter? While apps with excessive API permissions pose security risks. In contrast, apps without API permissions add clutter to your directory, which makes audits more difficult. Therefore, this guide will show you how to identify app registrations with no API permissions for efficient workload identity management.

Check Applications Without API Permissions Using Entra Admin Center

Microsoft 365 Permission Required

Directory Reader Least Privilege

Global Admin Most Privilege

Log in to the Microsoft Entra admin center.
Navigate to the All applications tab under Entra ID»App registrations.
Click on any desired application you’d like to review and go to the API permissions tab.
Under Configured permissions, check if any permissions are listed. If none are listed, the app has no API permissions assigned.

Check Applications Without API Permissions Using Entra Admin Center

Note: The Microsoft Entra portal does not provide a direct way to list all app registrations without API permissions.

List All Applications With No API Permissions Using PowerShell

Microsoft Graph Permission Required

Application.Read.All Least Privilege

Directory.Read.All Most Privilege

Connect to the Microsoft Graph PowerShell module using the cmdlet below.

Windows PowerShell

 Connect-MgGraph –Scopes "Application.Read.All"

Run the cmdlet below to retrieve all Microsoft Entra apps that have no API permissions assigned.

Windows PowerShell

 Get-MgApplication -All| Where-Object { !$_.RequiredResourceAccess }

The cmdlet retrieves all applications without an API permission assignment and shows their display name, object id, app id, etc.

List All Applications With No API Permissions Using PowerShell

Simple & Quick
Get Microsoft Entra Apps Without API Permissions Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Login to the AdminDroid 365 Portal.
Navigate to the Applications Without API Permissions report under Reports»Entra»Insights»AAD Registered Applications»Apps With No API Permissions.
This report provides detailed insights into app registrations in your Microsoft 365 that do not have specified access to APIs.
It includes information such as the application name, creation time, supported accounts, redirect URIs, and more.

Get Microsoft Entra Apps Without API Permissions Using AdminDroid

AdminDroid Entra ID Reporting Tool

Move Towards Efficient and Secure App Management Using Entra Workload Identity Insights!

AdminDroid’s free Microsoft Entra ID reporting tool gives you complete visibility into all registered apps, including those without API permissions. It provides a centralized view of all app registrations and helps simplify app lifecycle management across your organization.

Secure Entra Applications by Identifying Implicit Flow Usage

Detect Entra apps using OAuth 2.0 implicit flow to mitigate the risk of token leakage and and prevent attackers from impersonating legitimate users.

Take Control of Orphaned Entra ID App Registrations

Find ownerless app registrations to assign proper ownership or eliminate unused apps to improve management and accountability in Microsoft 365.

Analyze Entra App API Permissions to Identify Overprivileged Applications

Inspect API permissions configured for the application to determine which apps have unnecessary high-privileged APIs with less secure access methods.

Review Redirect URIs to Prevent Misuse of Entra App Registrations

Utilize the application redirect URI report to spot URIs pointing to unregistered subdomains and reduce the risk of redirect URI takeover attacks.

Check OAuth2 Permission Grant to Manage App-to-App Access in Microsoft 365

Review OAuth2 scopes of Entra apps to understand how internal apps share data and services, which helps you manage dependencies between applications efficiently.

Identify and Secure Entra Apps with External User Sign-ins

Leverage apps with external user sign-in reports to identify multi-tenant applications and defend against consent phishing, cross-tenant sync attacks, and other external threats.

Thus, AdminDroid’s Entra ID management tool transforms how you monitor and manage apps by delivering unmatched visibility into app properties and permissions. But it doesn’t stop there, it also enables complete monitoring and management of users, groups, and every essential element of your Entra ID environment.

Explore a full range of reporting options

Download Live Demo

Important Tips

Remove unused credentials from app registrations that don't have any API permissions to reduce attack surface area in Microsoft Entra ID.

Follow common application security guidelines to prevent targeted attacks on Entra app registrations created for testing purposes or left unused.

Remove unused apps from Entra ID to streamline app management and ensure a well-organized, secure non-human identity environment.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while managing Entra ID applications with no API permissions.

Error Get-MgApplication: One or more errors occurred.

This error occurs when you have multiple versions of the Microsoft Graph PowerShell module installed.

Fix To resolve this error, uninstall all versions of Microsoft Graph module installed on your system. Then, install a newer version of this Graph module using the following cmdlets.

Get-Module Microsoft.Graph* -ListAvailable | Where { $_.Name -ne "Microsoft.Graph.Authentication"} | Select-Object Name -Unique | Foreach-Object {  
$Module = $_
Get-Module $Module.Name -ListAvailable | Foreach-Object {  
Uninstall-Module $Module.Name -RequiredVersion $_.Version  
}}  
Get-Module "Microsoft.Graph.Authentication" -ListAvailable | Foreach-Object {  
Uninstall-Module "Microsoft.Graph.Authentication" -RequiredVersion $_.Version  
}  
Install-Module Microsoft.Graph

Error Some actions may be disabled due to your permissions. To request access, contact the application owner(s) or your administrator. View application owners or administrators.

This error occurs when you don’t have the required privileges to add API permissions to app registrations.

Fix To assign API permissions to app registrations, you must be at least assigned as the app owner or must be in any of the app admin roles.

Error New-MgOauth2PermissionGrant: Insufficient privileges to complete the operation.

This error occurs when you don’t have enough API permission scope to retrieve app registration details using PowerShell.

Fix To resolve this error, you must connect to Microsoft Graph PowerShell with Application.Read.All or a higher-privileged scope.

Microsoft Entra ID

Frequently Asked Questions

Optimize API Permission Assignments in Entra Apps to Strengthen Access Control!

How to assign API permissions to an Entra application?

What is the difference between delegated access and app-only access in Microsoft Entra?

What is the difference between using API permissions and app role assignment in Entra apps?

1. How to assign API permissions to an Entra application?

API permissions in Microsoft Entra enable apps to interact with your Microsoft 365 services and data such as user profile access, email functionality, and more. Without the right permissions, app registered in Entra ID can’t function as intended. Assigning correct API permission enables your apps to perform the tasks they were built for.

Add API permissions to an app registration from the Entra admin center

Here’s a breakdown of the steps to add API permissions to your Entra application:

In the Microsoft Entra admin center, navigate to Entra ID»App registrations»All applications tab.
Select your application and click Add a permission under Manage»API permissions.
Go to the respective tab (Microsoft APIs, APIs my organization uses, or My APIs) to select the permissions you want to grant for your application.
For example, to read users details using Microsoft Graph, go to the Microsoft APIs tab and click Microsoft Graph.
Next, choose Delegated permissions if the app acts on behalf of a signed-in user, or Application permissions if it runs without user interaction.
Then, search for ‘User.Read.All’, select it, and click Add permissions.
When the requested permission is sensitive or requires high privileges, it requires admin consent.
For such permissions, you need to use the Grant admin consent for <domain> option to grant access to resources on behalf of your entire organization.

2. What is the difference between delegated access and app-only access in Microsoft Entra?

When assigning Microsoft Entra apps with API permissions, it’s crucial to select the appropriate permission type. The wrong choice can expose sensitive data or restrict your app’s capabilities. There are two types of permissions in Microsoft Entra app registrations: Delegated and Application permissions.

Delegated permissions vs. Application permissions in Entra ID apps

Understanding the permission types that can be added to apps in Microsoft Entra can help you choose the right one based on your app’s access requirements.

3. What is the difference between using API permissions and app role assignment in Entra apps?

When managing access between Microsoft Entra applications, both API permissions and app role assignments play a key role in defining how one app interacts with another. While they may appear similar, they serve different purposes and behave differently.

The following table highlights the key differences between API permissions and app role assignment to help you choose the right configuration for your scenario.

API permissions vs. App role assignments in Entra ID applications

Knowing when and why to use each option helps you maintain both security and efficiency in your app integration.