
I got tired of having no visibility into our Entra ID identity sprawl, so I built a self-hosted governance portal (open source, runs in your own tenant)
The problem
Our tenant slowly accumulated hundreds of app registrations and ~800 enterprise apps. The native Entra portal makes you click into a separate blade to answer basic questions: who owns this app? which secrets expire next month? what hasn't been signed into in a year? which apps hold high-risk Graph permissions? There's no single pane, and ownership data is scattered or just missing.
Entra ID Governance / access reviews / PIM exist, but they're heavy (and licensed) for what I actually wanted: a fast, owner-centric view of the app and identity estate for routine hygiene.
What I built
A lightweight, self-hosted portal that runs entirely in your own Azure subscription:
- One grid for App Registrations, Enterprise Apps, Managed Identities, and Privileged (directory-role) Users
- Per-identity risk: expiring/expired creds, high-risk permissions, no owner, stale sign-in, missing Conditional Access coverage
- Ownership tracking + review/owner-change workflow, CSV export
- A tenant health score and consent-posture dashboard
- Optional credential-expiry email notifications (requires Sendgrid API key)
- Reads Microsoft Graph via a managed identity - no app secrets for data access, and nothing leaves your tenant
~$26–30/mo (one B2 App Service plan).
What it's not: a replacement for Entra ID Governance, PIM, or access reviews. It's a focused, low-cost complement for day-to-day hygiene.
Repo (screenshots + setup guide): Github Repository
Genuinely after feedback — especially what you'd want surfaced that isn't there, or where the risk scoring feels wrong. Built this incrementally over a few months (with long breaks), so it's had time to settle.