ENG-2766: Add isDisabled and web to Entra Graph $select fields

[dsill-ethyca]

Description of Changes

Adds isDisabled and web to the Microsoft Graph $select query for the Entra /applications endpoint.

isDisabled — Needed to detect deactivated app registrations. Maps to INACTIVE app_status in fidesplus, enabling the IDP monitor to filter out disabled apps (matching Okta's behavior).

web — Contains homePageUrl and redirectUris used by the Entra domain extractor to resolve vendor domains for Compass matching and Brandfetch logos. Without this field, domain extraction only works via LLM fallback.

Related PRs

• fidesplus#3273 — ENG-2766: Entra monitor execution (consumes these fields)

Code Changes

• src/fides/api/service/connectors/entra_http_client.py — Updated APPLICATIONS_SELECT constant

Steps to Confirm

1. Configure an Entra connection with a mix of active and disabled apps
2. Run an Entra IDP monitor scan
3. Verify disabled apps (isDisabled: true) are filtered out
4. Verify apps with web.homePageUrl have domains extracted

Pre-Merge Checklist

• All CI checks passing
• Corresponding fidesplus PR updated to use new fields

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 24, 2026 3:34pm
fides-privacy-center	Ignored		Mar 24, 2026 3:34pm

[greptile-apps]

Greptile Summary

This PR adds two fields — isDisabled and web — to the APPLICATIONS_SELECT constant used when querying the Microsoft Graph /applications endpoint. isDisabled enables detection of deactivated app registrations (to match Okta's INACTIVE status behavior in fidesplus), while web provides homePageUrl and redirectUris used by the Entra domain extractor for Compass matching and Brandfetch lookups.

• web is a standard, well-documented property of the Microsoft Graph application resource type.
• The comment on APPLICATIONS_SELECT was changed to reference only "IDP monitor discovery", but this constant also serves as the default select parameter in test_connection() (via _list_applications(top=1)) — a minor documentation gap.
• No logic changes; the sole behavioral change is the expanded $select query sent to Microsoft Graph.

Confidence Score: 5/5

• Safe to merge — the change is a small, targeted string constant update with only a minor comment inaccuracy.
• The diff is minimal (one constant updated, one changelog entry added), both new fields are consumed by the companion fidesplus PR, and web is a documented Graph property. The only issue is a comment that no longer reflects the full usage of the constant. No logic, tests, or API contracts are broken.
• No files require special attention.

Important Files Changed

Filename	Overview
src/fides/api/service/connectors/entra_http_client.py	Adds isDisabled and web to the APPLICATIONS_SELECT constant; the comment no longer reflects that this constant is also used in connection testing.
changelog/7734-entra-graph-select-fields.yaml	Standard changelog entry for the PR — no issues.

_{Reviews (1): Last reviewed commit: "Fix ruff format: combine string literals..." | Re-trigger Greptile}

[claude]

The change itself is minimal and well-structured — the existing tests import APPLICATIONS_SELECT by reference so they'll pick up the new fields without any changes needed there.

One concern worth investigating: isDisabled is a property on the servicePrincipal resource in Microsoft Graph v1.0, not the application resource. Querying /v1.0/applications with $select=isDisabled will likely result in that field being silently omitted from responses (Graph ignores unrecognized $select fields rather than erroring), meaning the downstream inactive-app filtering in fidesplus would silently do nothing.

The standard way to detect disabled app registrations in Entra is to query the corresponding servicePrincipal and check accountEnabled. If the author has confirmed isDisabled is actually populated in responses from this endpoint (e.g. via a real Entra tenant test), this concern is resolved — otherwise it may need a follow-up to use the correct field/endpoint.

The web field addition looks correct — it is a valid top-level property on the application resource and contains homePageUrl and redirectUris as described.

[claude]

isDisabled is a property on the servicePrincipal resource in Microsoft Graph v1.0, not the application resource. The /v1.0/applications endpoint returns application objects, which don't have a top-level isDisabled field.

If you include an unrecognized $select field, Graph silently omits it from the response (no error), so this won't break anything — but isDisabled will always be absent from the returned objects and the downstream null-check / inactive filtering in fidesplus won't work as intended.

To check disabled state for app registrations you'd typically query the corresponding servicePrincipal via /v1.0/servicePrincipals?$filter=appId eq '<appId>'&$select=accountEnabled (the accountEnabled field on servicePrincipal is the canonical way to detect disabled apps in Entra).

Worth confirming you're seeing isDisabled populated in actual test runs against a real Entra tenant, or that this is a beta/preview field that works on this endpoint.

[dsill-ethyca]

FYI isDisabled select works on an actual graph request

[adamsachs]

👍