Applications: Disabled or Invalid

Finding all disabled Application Registrations and those that have had their Enterprise Application (Service Principal) deleted.

PowerShell

Connect-MgGraph -Scopes @('Application.Read.All')

$allApplications = Get-MgApplication -All -PageSize 999 -Select @('DisplayName', 'AppId')
$servicePrincipals = Get-MgServicePrincipal -All -PageSize 999 -Select AppId, AccountEnabled
$servicePrincipals = $servicePrincipals | Group-Object -AsHashTable { $_.AppId }  
$disabledApplications = @()
$invalidApplications = @()
$allApplications | ForEach-Object {
    $sp = $servicePrincipals[$PSItem.AppId]
    if ($null -eq $sp) {
        $invalidApplications += $PSItem
    }
    elseif ($sp.AccountEnabled -eq $false) {
        $disabledApplications += $PSITem
    }
}
Write-Output "Disabled Applications $($disabledApplications.Count)"
#$disabledApplications | Select-Object DisplayName, AppId
Write-Output "Invalid Applications $($invalidApplications.Count)"
#$invalidApplications | Select-Object DisplayName, AppId

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params