I need to find a way to control the user sign-in settings for an enterprise application through the Graph API. Basically, I want to change the setting that allows or prevents users from signing into the app.
I’ve been looking through the Microsoft Graph documentation but can’t seem to find the right endpoint or property to modify this setting. The goal is to automatically switch this on or off without having to go through the Azure portal manually.
Has anyone worked with this before? What’s the correct API call or property I should be using to manage this sign-in permission setting?
Also check the signInAudience property if you’re dealing with enterprise apps. I had problems where just changing accountEnabled didn’t work because the app was set up for multiple tenants. Do a GET request first to see what you’re working with. Changes aren’t instant - there’s usually a delay before they kick in. Graph Explorer’s great for testing these calls before you code them up.
You’ll want to work with the servicePrincipal object in Microsoft Graph API. The accountEnabled property controls whether users can sign in. Just send a PATCH request to https://graph.microsoft.com/v1.0/servicePrincipals/{id} with {“accountEnabled”: false} to disable sign-in or {“accountEnabled”: true} to enable it. You’ll need Application.ReadWrite.All or Directory.ReadWrite.All permissions. I’ve used this in my automation setups and it works great, but grab the correct servicePrincipal ID with a GET request first.
Had this exact problem last month! Check the appRoleAssignmentRequired property - it works with accountEnabled. If it’s true, only assigned users can sign in even when accountEnabled is true. Totally caught me off guard during testing. Your token needs the right scopes or you’ll hit 403 errors.