Find Entra Apps With Single Owner
In Microsoft Entra ID, application ownership is a critical aspect of governance. While assigning multiple owners is considered a best practice, many applications still operate with only a single owner.
Applications with a single owner can pose risks such as:
- Dependency on one individual
- Increased chance of becoming orphaned
- Lack of accountability backup
Identifying such applications allows administrators to proactively strengthen ownership models and improve governance.
This script helps administrators find Entra applications that have exactly one owner, providing detailed ownership information for further action.
Download this script from our M365Corner GitHub Repo: https://github.com/m365corner/M365Corner-Scripts/tree/main/Entra-Apps-Related-Scripts/Find-Entra-Apps-With-Single-Ownerđ Community Edition Released!
Try the M365Corner Microsoft 365 Reporting Tool â your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.
The Script
# Connect to Microsoft Graph
Connect-MgGraph -Scopes Application.Read.All, Directory.Read.All
Write-Host "Scanning applications with a SINGLE owner..." -ForegroundColor Cyan
# Get all applications
$Applications = Get-MgApplication -All -Property Id,DisplayName,AppId,CreatedDateTime,Description
$Results = @()
foreach ($App in $Applications) {
# Get application owners
$Owners = Get-MgApplicationOwner -ApplicationId $App.Id
if ($Owners.Count -eq 1) {
Write-Host "$($App.DisplayName) | Owners: 1" -ForegroundColor Yellow
$OwnerName = "N/A"
$OwnerUPN = "N/A"
$OwnerId = "N/A"
foreach ($Owner in $Owners) {
try {
# This matches your working multiple owners logic
$OwnerDetails = Get-MgUser -UserId $Owner.Id -ErrorAction Stop
if ($OwnerDetails) {
$OwnerName = $OwnerDetails.DisplayName
$OwnerUPN = $OwnerDetails.UserPrincipalName
$OwnerId = $OwnerDetails.Id
}
}
catch {
# Fallback if not a user object
if ($Owner.AdditionalProperties -and $Owner.AdditionalProperties.ContainsKey("displayName")) {
$OwnerName = $Owner.AdditionalProperties["displayName"]
}
if ($Owner.AdditionalProperties -and $Owner.AdditionalProperties.ContainsKey("id")) {
$OwnerId = $Owner.AdditionalProperties["id"]
}
$OwnerUPN = "Non-User Object"
}
}
$Results += [PSCustomObject]@{
ApplicationName = $App.DisplayName
ApplicationId = $App.Id
ClientId = $App.AppId
CreatedDate = $App.CreatedDateTime
Description = $App.Description
OwnerCount = 1
OwnerName = $OwnerName
OwnerUPN = $OwnerUPN
OwnerId = $OwnerId
}
}
}
# Export results
$ExportPath = "C:\Path\Applications_With_Single_Owner_Report.csv"
$Results | Export-Csv $ExportPath -NoTypeInformation
Write-Host "Report exported to $ExportPath" -ForegroundColor Cyan
How the Script Works
| Step | Description |
|---|---|
| Connect to Graph | Authenticates using Application.Read.All and Directory.Read.All |
| Retrieve Applications | Fetches all applications using Get-MgApplication -All |
| Get Owners | Retrieves owners using Get-MgApplicationOwner |
| Filter Single Owner | Checks if owner count equals exactly 1 |
| Resolve Owner Details | Attempts to fetch user details using Get-MgUser |
| Fallback Logic | Handles non-user owners using AdditionalProperties |
| Build Report | Stores application and owner details in structured format |
| Export Results | Exports results into a CSV report |
Further Enhancements
| Enhancement | Description |
|---|---|
| Add Owner Backup Recommendation | Suggest adding additional owners for critical apps |
| Include Owner Role Info | Identify if owner is admin or standard user |
| Add Risk Tagging | Mark apps with single owner as medium risk |
| Include Last Activity | Combine with audit logs for usage tracking |
| Automate Reporting | Schedule script for periodic governance checks |
Frequently Asked Questions
| Question | Answer |
|---|---|
| Why are single-owner apps risky? | They depend on one individual and may become orphaned |
| Should all apps have multiple owners? | Yes, especially business-critical applications |
| Can owners be non-user objects? | Yes, such as service principals |
| Does the script handle non-user owners? | Yes, using fallback logic |
| Can this script scale for large tenants? | Yes, though performance may vary |
Admin Usecases
| Use Case | Description |
|---|---|
| Governance Audit | Identify apps needing additional owners |
| Risk Mitigation | Reduce dependency on single individuals |
| Compliance Checks | Ensure ownership policies are followed |
| Ownership Validation | Confirm correct ownership assignments |
| Documentation | Maintain records of application ownership |
Possible Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
| Insufficient privileges | Missing Graph permissions | Use Application.Read.All and Directory.Read.All |
| Cmdlet not recognized | Graph module not installed | Install using Install-Module Microsoft.Graph |
| Access token expired | Session timeout | Reconnect using Connect-MgGraph |
| Missing owner details | Non-user owner objects | Use fallback logic (already included) |
| Slow execution | Large tenant | Optimize with filtering or batching |
Conclusion
Applications with a single owner present a subtle but important governance risk in Microsoft Entra ID environments. While they are not immediately problematic, they can quickly become orphaned if the sole owner leaves the organization or loses access.
This Microsoft Graph PowerShell script provides an efficient way to identify applications with a single owner and retrieve detailed ownership information. By acting on these insights, administrators can ensure better ownership distribution, improve resilience, and strengthen overall governance.
Incorporating this script into regular audits helps maintain a balanced and secure ownership model across all Entra applications.