Teams Shows “App Connected” but There Is No App in Teams (In-Depth Guide Using a Different Example)

Sometimes you open the Teams admin center and see an entry near the bottom that looks like:

“ServiceNow connected” (or “Connected app”, “App connected”, “Integration connected”)

But then you search everywhere and realize:

• there is no ServiceNow app in the Teams client
• it does not show up under Teams apps → Manage apps
• you never deployed it via an app setup policy

This can feel like Teams is lying. It is not. You are usually looking at an Entra ID enterprise application (service principal) that exists independently of a Teams Store app.

This post explains what that means, why it happens, and how to remove or lock it down safely, using ServiceNow as the example.

---

The Key Concept: Teams Apps vs Connected Identity Integrations

Teams has two “app worlds” that often get mixed up.

1) Teams Store apps (visible to users)

These are the apps most admins think about:

• Managed in Teams admin center → Teams apps
• Visible in the Teams client Apps store
• Controlled by:
  • Permission policies (allow/block)
  • Setup policies (pinning)
  • App catalog visibility

If an app is truly a Teams app package, you should be able to find it under Manage apps.

2) Entra enterprise applications (identity integrations)

These are Entra ID objects used for:

• SSO (Single Sign-On)
• OAuth/API access to Microsoft Graph
• Bots and integrations
• Connector-style integrations that need permissions

These live in:

• Microsoft Entra admin center → Enterprise applications

A connected integration can exist even if there is no Teams Store app installed, because the integration is really about authentication and permissions, not a visible Teams “app tile”.

That is why you can see “ServiceNow connected” even though the ServiceNow Teams app is not present.

---

Why This Happens (Real Scenarios)

Here are the most common reasons an “app connected” entry exists without an actual Teams app:

1) Admin consent was granted during testing

An admin may have clicked Accept / Grant admin consent when a third-party integration requested permissions.

Even if the Teams UI app was never deployed, that consent creates an enterprise application in Entra.

2) User consent created it (if allowed in your tenant)

If user consent is not restricted, a user can authorize a third-party integration and create the service principal.

3) An integration was removed but the Entra object remained

Teams app removed, connector removed, or pilot ended. The enterprise app stays.

4) The integration was for something else, not Teams

ServiceNow might have been connected to:

• Microsoft 365 for SSO
• Graph for user profile data
• Outlook add-ins
• provisioning or SCIM

Teams may still surface it as “connected” because it is related to Microsoft identity and permissions.

---

What to Do (Safe Step-by-Step)

Step 1: Confirm the object exists in Entra (this is the source of truth)

Go to Microsoft Entra admin center:

1. Identity → Applications → Enterprise applications
2. Search for: ServiceNow (or the app name shown as connected)
3. Open the app and note:
   • Publisher (verified publisher matters)
   • Application ID
   • Created date
   • Enabled for users to sign in (Yes/No)

What you are proving

If ServiceNow exists in Enterprise applications, then the “connected” item is an identity integration, not a Teams Store app.

---

Step 2: Determine if it is actually being used (do not delete blindly)

Inside the enterprise application:

A) Check sign-in logs

• Sign-in logs
• Filter last 7 days and 30 days

If you see sign-ins: the integration is active. Deleting it will break SSO or an automation.
If no sign-ins: it may be unused or used only for background access.

B) Check Users and groups assignments

• Users and groups
• If assigned to users/groups, assume it is in use.

C) Check Permissions and consent

Go to Permissions (wording varies) and look for:

• Admin consent granted
• High-impact permissions:
  • directory read/write
  • group read/write
  • offline_access
  • read mailbox data (depending on integration)

This step is important from a security perspective. Even an unused enterprise app can represent risk if it has broad permissions.

---

Step 3: Confirm there is no Teams Store package

In Teams admin center:

1. Teams apps → Manage apps
2. Search:
   • ServiceNow
   • Also try brand variants (for UKG you would also try “Kronos”; for other apps, try old names)
3. Check status and publisher.

If nothing appears, you are very likely dealing with an enterprise app only.

---

Your Remediation Options (Choose the Right Level of Risk)

Option A: Disable sign-in first (best for uncertain situations)

If you are not 100% sure whether the integration is needed:

1. Entra → Enterprise applications → ServiceNow → Properties
2. Set Enabled for users to sign-in = No

Why this is the best first move

• It is reversible in seconds
• It stops interactive use immediately
• You can monitor and confirm whether anyone complains or whether sign-in logs show failures

Monitor for 24–72 hours. If nothing breaks, move to deletion.

---

Option B: Delete the enterprise application (only after confirming it is not needed)

If you confirm:

• no sign-ins,
• no assignments,
• no dependency on it,

then delete:

• Entra → Enterprise applications → ServiceNow → Properties → Delete

After deletion, Teams may take some time to stop showing it as “connected.” That is usually propagation and caching.

---

Option C: Keep it but lock it down (security best practice when it is legitimate)

If ServiceNow is used by HR/IT but you want governance:

• Require assignment
• Limit to a dedicated group
• Review permissions and remove unnecessary scopes
• Restrict user consent tenant-wide (or limit it to verified publishers)
• Apply Conditional Access policies (if appropriate)

This is often the most realistic solution in enterprise environments.

---

Why Teams Still Shows It After You Remove Things

Even after you remove the Teams app (or never had it), the Entra enterprise application can remain. Teams is effectively reflecting that Microsoft identity object is still present in your tenant.

If you delete the enterprise application and the Teams UI still shows it:

• wait for propagation
• sign out/in to the admin center
• verify there is not a second similarly-named enterprise app (common with integrations)

---

Quick “Do I Delete This?” Checklist

You can generally delete if all are true:

• No sign-ins in last 30 days
• No assignments (Users and groups empty)
• Not used by any business system (confirm with app owner)
• Permissions are not required for another integration

If any are unclear, disable sign-in first.

---