Forum Discussion

AzAutomationEngineer's avatar
AzAutomationEngineer
Copper Contributor
Jul 03, 2026

Made a self-hosted Entra ID governance portal for app/identity sprawl (open source)

Our tenant ended up with hundreds of app registrations and enterprise apps, and the native portal makes you dig through a separate blade for every basic question. Who owns this app? Which secrets die next month? What hasn't been signed into in a year? Which ones have scary Graph permissions? There's no single view for any of it, and half the ownership info was missing anyway.

Entra ID Governance, access reviews, PIM all exist, but they felt heavy (and licensed) for what I actually wanted, which was just a fast list I could scan for routine cleanup.

So I built one. Lightweight portal that runs entirely in your own subscription:

  • One grid for App Registrations, Enterprise Apps, Managed Identities and Privileged Users
  • Risk flags per identity: expiring/expired creds, high-risk permissions, no owner, stale sign-in, no CA coverage
  • Ownership tracking, review and owner-change workflow, CSV export
  • Tenant health score and a consent posture dashboard
  • Optional expiry email notifications (needs a SendGrid key)
  • Reads Graph through a managed identity, so no app secrets for data access and nothing leaves your tenant

Runs about $26-30/month (one B2 App Service plan). B1 is also supported, but it's noticeably slower.

It's not a replacement for Entra ID Governance or PIM, more of a cheap everyday hygiene thing.

Full disclosure, I used AI building this and writing this up. I designed the architecture and functionality, tested it and ran it against my own tenant. It's open source and deployable with Azure DevOps or an Azure CLI script. Data never leaves your own tenant.

Repo (screenshots + setup): https://github.com/nicolaibaralmueller/entra-identity-governance-portal

Would love feedback, especially what you'd want it to flag that it doesn't, or where the risk scoring feels off. Been building it on and off for a few months with a lot of iteration. Hopefully this could be useful for others as well. 

2 Replies

  • Hi, this is a very useful idea, especially for tenants with lots of app registrations and enterprise apps. I would make sure the portal is read-only by default, uses least-privilege Microsoft Graph permissions, and logs every action clearly. Identity governance tooling can help a lot, but only if permissions and audit trails are handled carefully

    • AzAutomationEngineer's avatar
      AzAutomationEngineer
      Copper Contributor

      That's actually how it's built:

      • Read-only portal. The web portal can only view — it never writes to the directory. Any change (owner updates, tagging, deletions) is done separately by an admin running a script, not from the UI. 
      • Least-privilege Graph. The app uses only read scopes - Application.Read.All, Directory.Read.All, Policy.Read.All, AuditLog.Read.All, etc. No write permissions.
      • Clear audit trail. Every action is logged with the signed-in user's identity, so there's a full record of who did what.


      Appreciate the thoughtful feedback. Permissions and auditability were the first things I locked down.