Sign-In Activity
Menu path: Observe → Application Governance → Sign-In Activity
URL: /en/insights/dashboard/appGov/sign-in-activity
Purpose
The Application Sign-In Activity page analyses when applications last authenticated to Entra ID and identifies applications that are dormant, inactive, or have never been used. It is the primary tool for identifying decommission candidates - applications that are consuming attack surface (they have credentials, permissions, and exist as targets) but provide no value because they are not being used.
This page shows the "ugly" reality that is common in most Entra ID environments: the vast majority of the application estate has never been used or has not been used for months. Each unused application is an unnecessary risk.
Observation Cards
Never Used
What it means: 500 applications have absolutely no recorded sign-in activity - they have never been used since being registered in Entra ID.
Why it matters - this is a major finding. 500 applications out of 657 total have never signed in. This is 76% of the application estate. While many of these will be Microsoft first-party service principals that are present in every Entra ID tenant and do not sign in conventionally, a significant portion will be custom applications and enterprise integrations that were registered but never deployed, or are now abandoned. Each of these 500 applications has an entry in Entra ID that represents an attack surface.
What to do: This requires a systematic review programme. Identify all 500 applications, categorise them (Microsoft system apps vs custom apps vs third-party apps), and for custom and third-party apps with no sign-in history, work with application owners to confirm whether they are still needed. Applications confirmed as not needed should be disabled and eventually deleted.
Dormant 6+ Months
What it means: 103 applications have not authenticated in over 6 months.
Why it matters: Applications that were once active but have been dormant for 6+ months are likely candidates for decommission. At 6 months, even seasonal applications would have been used. These applications may represent: completed projects, replaced integrations, or applications that failed and were abandoned without cleanup.
Dormant 12+ Months
What it means: 50 applications have not authenticated in over 12 months.
Why it matters: After 12 months of dormancy, an application should be considered strongly for decommission. These are the highest-confidence cleanup targets within the dormant category. Any application that has not been used in a year is very unlikely to be needed.
Charts
Removal Candidates by Risk
Chart type: add example --> Donut chart
What it shows: 603 inactive or unused applications, grouped by their overall risk level (Low, High, Critical).
Why it matters: Not all dormant applications are equal. A dormant application with Low-risk permissions is less concerning than a dormant application with Critical permissions. This chart helps you prioritise which dormant applications to address first.
What to look for: Any Critical or High risk applications in the dormant/unused category should be reviewed immediately. An application with AppRoleAssignment.ReadWrite.All or User.ReadWrite.All that has been dormant for months is a particularly high-risk finding - it means an application with the ability to modify permission assignments or user accounts is sitting idle with valid credentials.
How Are Applications Being Used?
Chart type: add example --> Bar chart
What it shows: The distribution of sign-in methods across actively-used applications - breaking down whether sign-ins are coming from users (delegated), applications (app-only/daemon), or both.
Why it matters: Understanding how applications are being accessed helps validate that they are being used for their intended purpose. An application registered as a user-facing web app that is only showing app-only sign-ins may indicate it has been repurposed or its front-end is broken.
Last Activity Timeline
Chart type: add example --> Area chart
What it shows: The number of applications whose last activity falls within each time period, from the oldest to the most recent. The rising curve shows the accumulation of applications over time.
Why it matters: This chart helps visualise the age distribution of your application activity. A steep rise in the recent period confirms that most recently-active applications are current. A long flat tail on the left side of the chart represents applications that have not been touched in years.
The Sign-In Activity Table
The table lists all applications with sign-in activity data:
- Display Name - Application name
- Last Activity - The date of the most recent sign-in
- Days Since Activity - How many days have elapsed since the last sign-in
- Last Sign-In - The last sign-in date (may differ from Last Activity in some cases)
- Principal Type - Application, ManagedIdentity, etc.
- Enabled - Whether the application is currently enabled
Use the "Inactive" filter toggle to show only applications with no recent activity. Use the "Unused" filter to show applications with no sign-in activity at all. Sort by "Days Since Activity" descending to see the longest-dormant applications first.
The decommission process
For each application identified as a decommission candidate:
- Identify the application owner (see Owners report)
- Contact the owner to confirm the application is no longer needed
- If confirmed: disable the application in Entra ID
- Monitor for any service disruption over a 2-4 week period
- If no disruption: delete the application registration
- Clean up associated service principals, credentials, and permissions
Starting with Never Used applications is the safest decommission approach, as there is no risk of causing an active service outage.