Forum Discussion
Made a self-hosted Entra ID governance portal for app/identity sprawl (open source)
Our tenant ended up with hundreds of app registrations and enterprise apps, and the native portal makes you dig through a separate blade for every basic question. Who owns this app? Which secrets die next month? What hasn't been signed into in a year? Which ones have scary Graph permissions? There's no single view for any of it, and half the ownership info was missing anyway.
Entra ID Governance, access reviews, PIM all exist, but they felt heavy (and licensed) for what I actually wanted, which was just a fast list I could scan for routine cleanup.
So I built one. Lightweight portal that runs entirely in your own subscription:
- One grid for App Registrations, Enterprise Apps, Managed Identities and Privileged Users
- Risk flags per identity: expiring/expired creds, high-risk permissions, no owner, stale sign-in, no CA coverage
- Ownership tracking, review and owner-change workflow, CSV export
- Tenant health score and a consent posture dashboard
- Optional expiry email notifications (needs a SendGrid key)
- Reads Graph through a managed identity, so no app secrets for data access and nothing leaves your tenant
Runs about $26-30/month (one B2 App Service plan). B1 is also supported, but it's noticeably slower.
It's not a replacement for Entra ID Governance or PIM, more of a cheap everyday hygiene thing.
Full disclosure, I used AI building this and writing this up. I designed the architecture and functionality, tested it and ran it against my own tenant. It's open source and deployable with Azure DevOps or an Azure CLI script. Data never leaves your own tenant.
Repo (screenshots + setup): https://github.com/nicolaibaralmueller/entra-identity-governance-portal
Would love feedback, especially what you'd want it to flag that it doesn't, or where the risk scoring feels off. Been building it on and off for a few months with a lot of iteration. Hopefully this could be useful for others as well.