Visibility
Entra ID
IAM Engineer
Azure
Get a complete Entra ID service principal inventory with secret age, scope, and a named owner for every one
Quick Summary: Entra ID service principals multiply faster than any team can track manually — scattered across app registrations, enterprise apps, and managed identities, often with expired or aging secrets. Oleria, an AI-native identity security & governance platform, consolidates every service principal into one inventory with secret age, permission scope, and a named owner.
Entra spreads your service principals across three separate portal views - and still doesn't show you which secrets are stale, which permissions are over-scoped, or which principals haven't authenticated this year. Oleria consolidates all of it into one inventory with the queues to act on what you find.
Entra service principals are created every time someone adds an enterprise app, registers an OAuth integration, federates a CI/CD pipeline, or stands up a managed identity. The Entra portal shows them but spreads them across three views with overlapping but not identical information: "Enterprise applications," "App registrations," and "Managed identities." Cross-referencing the three views one app at a time is the work most identity teams do quarterly when they remember.
The numbers are not subtle. CISA and industry practitioners have documented Azure tenants with hundreds of service principals unused for 30+ days - real numbers from real environments. Most enterprise tenants carry hundreds to thousands of app registrations. Microsoft's Midnight Blizzard breach last year started with a forgotten test-tenant OAuth app holding Mail.Read across the entire org - exactly the pattern that hides in unsegmented Entra inventories.
What makes this stubborn is the secret hygiene problem. Each app registration can have multiple client secrets, multiple certificates, and federated credentials. Each one rotates on its own schedule. Detecting which ones are stale, which ones are about to expire, and which ones should migrate from client secrets to certs to federation means querying Graph and joining the results yourself - one app at a time, then again next quarter. The portal is a reference; Oleria gives you the operating model to drive the queues to zero.
One unified Entra ID Service Principal Inventory - the portal's three views collapsed into a single queryable graph. Service principals, app registrations, managed identities, and federated credentials normalized together, so nothing slips between views.
Automatic secret and certificate hygiene queue. Client secret last-rotated, certificate expiry, federated credentials configured - all surfaced. Migration candidates (client secret to certificate to federation) appear automatically. The hygiene backlog you've been meaning to build is already built.
Permission scope clarity that flags what actually matters. Application versus delegated permissions, admin-consent versus end-user-consent, and sensitive Graph scopes (Mail.Read, Files.Read.All, Directory.ReadWrite.All) flagged automatically - so the risky ones don't hide in noise.
Dormancy detection that turns cleanup into a 30-minute weekly cycle. Last sign-in per service principal, with configurable dormancy thresholds. Dormant principals become a short, owner-aware cleanup queue instead of a quarterly surprise.
The Entra ID Service Principal Inventory consolidates all three Entra portal views into one audit-ready graph — secret age, scope, and named owners included.
You connect Entra. Within an hour, the inventory shows 1,847 enterprise app registrations, 412 managed identities (286 system-assigned, 126 user-assigned), 89 federated credentials. Of the app registrations, 234 hold sensitive Graph scopes. 178 have client secrets older than 180 days. 47 are dormant - no sign-in in 90 days. 23 hold Mail.Read at tenant scope and were last used in 2023 - the Midnight Blizzard pattern. The identity team takes the dormant queue, the security team takes the sensitive-scope queue, the platform team takes the secret-rotation queue. Six weeks later, dormant SPs are decommissioned, sensitive-scope apps have named reviewers, and client secrets are migrating to certs and federation on a tracked cadence.
Get a complete Entra ID Service Principal Inventory — with secret age, permission scope, and named owners — and drive every hygiene queue to zero. Oleria, an AI-native identity security & governance platform, makes it audit-ready in hours.
The portal shows you data spread across three views and stops at Entra. Oleria normalizes the three Entra surfaces and joins them with NHI inventory across other apps. It also computes signals - dormancy thresholds, secret age, sensitive-scope flagging - the portal doesn't pre-compute. The portal is a reference; the operating model is what you build on top.
Both system-assigned and user-assigned managed identities are inventoried. Their effective access - RBAC role assignments at subscription, resource group, and resource scopes - joins the same graph. Managed identities are the fastest-growing NHI type in Azure; you should treat them the same as service principals.
The on-prem agent is for AD only. Entra connects via cloud-side OAuth. The two combine into one identity graph for hybrid environments - which matters because hybrid is where most identity teams actually live.
Yes - federated credentials, workload identities, and managed identities all surface in the same inventory. Federated credentials get their own hygiene signals (issuer, subject, audience) since they have no rotating secrets to track.
Entra service principals are in scope for least-privilege controls in SOC 2 CC6 and PCI-DSS 7. The inventory, dormancy evidence, and secret-rotation cadence export as audit-ready evidence rather than a manual collection project.
