Forum Discussion
AzAutomationEngineer
Jul 03, 2026Copper Contributor
Made a self-hosted Entra ID governance portal for app/identity sprawl (open source)
Our tenant ended up with hundreds of app registrations and enterprise apps, and the native portal makes you dig through a separate blade for every basic question. Who owns this app? Which secrets die...
Jamony
Jul 07, 2026MCT
Hi, this is a very useful idea, especially for tenants with lots of app registrations and enterprise apps. I would make sure the portal is read-only by default, uses least-privilege Microsoft Graph permissions, and logs every action clearly. Identity governance tooling can help a lot, but only if permissions and audit trails are handled carefully
AzAutomationEngineer
Jul 07, 2026Copper Contributor
That's actually how it's built:
- Read-only portal. The web portal can only view — it never writes to the directory. Any change (owner updates, tagging, deletions) is done separately by an admin running a script, not from the UI.
- Least-privilege Graph. The app uses only read scopes - Application.Read.All, Directory.Read.All, Policy.Read.All, AuditLog.Read.All, etc. No write permissions.
- Clear audit trail. Every action is logged with the signed-in user's identity, so there's a full record of who did what.
Appreciate the thoughtful feedback. Permissions and auditability were the first things I locked down.