Programmatically audit MS Entra ID Service Principals with PowerShell anticipating expirations.        🔽

 Azure Entra ID permits to access a large number of Service Principal configuration properties relying on MS Graph and Powershell.
 A Service Principal is an Identity in MS Entra ID (Azure AD) representing an application or automated process within a tenant.
 A Service Principal is also the Enterprise Application object representing an APP instance in a given tenant.
 While an APP Registration is the global application object, the Service Principal is its tenant-specific instance.
 This article is a step-by-step guide that explains how to use EntraSPaudit.ps1  (entra-id-service-principal-audit-powershell 📑)

🔸 FIRST: We need to create an Entra ID APP registration to set Permissions and Credentials, for PowerShell to audit Entra ID Service Principals.

🔸 Read.All permissions ( +Grant Admin consent for Default Directory ): Application, AuditLog, Directory, ServicePrincipalEndpoint, User ▽



        

💠 IMPORTANT: Keep a copy of the above Application (client) ID and the Directory (tenant) ID and Client Secret Value.

✅ REMEMBER: Before executing the script you need to set 3 environment variables in your PowerShell session (e.g.:VSCode) as shown below ▽ 

💻 $env:MG_TENANTID = "<YOUR-TENANT-ID>"
💻 $env:MG_CLIENTID = "<YOUR-CLIENT-ID>"
💻 $env:MG_CLIENTSECRET = "<YOUR-CLIENTSECRET>" 
💠 AUDIT: We run the PowerShell script ▽

💻 pwsh -File .\EntraSPaudit.ps1
🔸 OUTPUT: EntraSPaudit.ps1 generates a CSV file .\Entra_Service_Principal_Audit\Entra_Service_Principal_Audit_YYYY-MM-DD_HHMMhs.csv ▽




        

🔸 EntraSPaudit.ps1 outputs a timestamped CSV suitable for SIEM ingestion or remediation workflows ▽

✅ Advantage 1 : Centralized inventory to detect unused, orphaned, or risky Service Principals
✅ Advantage 2 : Identifies expiring or expired credentials to prevent authentication outages
✅ Advantage 3 : Exposes owners and notification addresses for rapid remediation contact
✅ Advantage 4 : Correlates sign-in counts to prioritize cleanup of dormant principals
✅ Advantage 5 : Shows federated credentials to audit external workload identity trust
✅ Advantage 6 : Provides App Registration linkage for lifecycle and developer ownership actions
✅ Advantage 7 : App-only authentication enables non-interactive scheduled audits and automation
✅ CSV column :: ObjectType indicates record type, aids filtering and automation
✅ CSV column :: AppOwnerOrganizationId reveals application owning tenant for multi-tenant tracking
✅ CSV column :: ServicePrincipalType distinguishes managed identities from application principals
✅ CSV column :: Id provides the SP object id for targeted Graph remediation
✅ CSV column :: DisplayName gives a human-friendly identifier for tickets and reviews
✅ CSV column :: AppId links sign-ins and app registrations to the SP
✅ CSV column :: Tags classify SPs for automated policies or scope-based reviews
✅ CSV column :: SignInAudience highlights intended scope and potential external exposure
✅ CSV column :: PasswordCount surfaces number of client secrets requiring rotation oversight
✅ CSV column :: NextCredentialExpiry shows the nearest expiry for rotation planning
✅ CSV column :: NextExpiryDays gives urgency for scheduling credential replacement
✅ CSV column :: ExpiringSoon flags credentials within the configured expiry window
✅ CSV column :: PreferredSingleSignOnMode documents SSO configuration affecting authentication flows
✅ CSV column :: PreferredTokenSigningKeyThumbprint helps troubleshoot token validation and rollover
✅ CSV column :: Homepage and LoginUrl validate declared application endpoints for legitimacy
✅ CSV column :: ReplyUrls lists redirect URIs to audit OAuth redirect configurations
✅ CSV column :: ServicePrincipalNames lists aliases used for discovery and de-duplication
✅ CSV column :: NotificationEmailAddresses provides contacts for operational notifications and alerts
✅ CSV column :: AccountEnabled indicates whether the SP is active for quick quarantine decisions
✅ CSV column :: AppRoleAssignmentRequired and AppRoles reveal authorization patterns and privileges
✅ CSV column :: ServicePrincipalOwners identifies responsible owners for notifications and approvals
✅ CSV column :: AppReg_Name and AppReg_ObjectId cross-reference the application registration
✅ CSV column :: AppReg_KeyCredentials and status expose certificate expiry and replacement needs
✅ CSV column :: AppReg_PasswordCredentials and status reveal client secret lifecycle information
✅ CSV column :: AppReg_FederatedCredentials surfaces external identity federation bindings for review
✅ CSV column :: LastSignIn and SignInCount help find unused or suspicious Service Principals
✅ CSV column :: AdditionalProperties preserves other SP attributes for deeper diagnostics

📂 entra-id-service-principal-audit-powershell 📑