Automated security report for all App Registrations and Graph Permissions in your Azure tenant. Delivered by email. Managed by au2mator.
MSP| App Name | Risk Level | Permissions | Perm Category |
|---|---|---|---|
| AzureServicePrincipal… | Critical | 12 | Excessive |
| PROD: Directory Management | Critical | 11 | Excessive |
| PROD: Cert Expiry Monitor | Critical | 5 | Excessive |
| PROD: Storage Upload Service | Critical | 4 | Excessive |
| PROD: Directory Services | Critical | 6 | Excessive |
Every App Registration, every service principal, every new automation brings new permissions with it. After a year, nobody knows who can do what anymore. And what’s worse: nobody asks.
App Registrations are created and never reviewed again. Permissions accumulate. After two years, every app has too many rights that nobody feels responsible for.
Checking everything manually takes hours and is error-prone. So it’s rarely if ever done. Until a compliance audit or security incident forces it.
Too many permissions are an attack vector. For attackers, data breaches, and compliance violations. ISO 27001, NIS2, and GDPR have clear expectations here.
Native Azure Automation. No agent, no VM, no new infrastructure. Just a runbook in your existing setup.
A PowerShell runbook in your Azure Automation. Two App Registrations for read access. Configuration in under 30 minutes, no changes to existing systems.
The report scans all App Registrations, maps used API endpoints to required permissions, and classifies each app: Optimal, Excessive, Unmatched, or No Activity.
Weekly or monthly, a clear HTML report lands in your inbox. With risk classification, recommendations, and an interactive view of all App Registrations.
Filter by risk level, click on individual apps, explore endpoint mappings, and immediately see where action is needed.
Sample data from a real tenant. Anonymized.
The LPR uses exclusively native Azure Automation capabilities. No external data flows, no additional infrastructure, no vendor lock-in.
Optimal, Excessive, and Unmatched. Every App Registration is precisely rated with concrete recommendations. No guessing, no room for interpretation.
Complete mapping of all relevant Microsoft Graph API endpoints to the minimum required permissions. Extended with every update. Always current.
The report doesn’t just look at which permissions exist, but which are actually used. Stale apps with 0 API calls in 30 days are flagged separately.
PowerShell 7.4, kein Agent, keine VM. Das Runbook lΓ€uft genau dort, wo deine Automatisierungen bereits laufen. Setup unter 30 Minuten, keine neuen Systeme.
Interactive, filterable HTML view directly in your inbox. No login, no portal, no extra tool. Einfach aufmachen und lesen. Mit au2mator oder eurem eigenen Branding.
Zwei App Registrations mit Read-only Rechten. Keine Managed Identity, keine Owner Berechtigungen. Was der Report analysiert, lebt selbst nach demselben Prinzip.
Your own logo, your colors, your domain in the report. Perfect for Managed Service Providers offering security reporting as part of their service portfolio.
Der LPR wird von au2mator auf GitHub gehostet, gewartet und weiterentwickelt. Neue Endpoint-Mappings und Features landen per Knopfdruck bei allen Kunden β ohne manuellen Aufwand eurer Seite.
Credentials stay with you. The runbook runs in your Azure Automation. No data leaving your environment, no external access. au2mator delivers only the logic.
Full documentation in German and English. Support in German and English. Built by an Austrian company working daily in the Azure mid-market environment.
App Registrations and Service Principals are automatically scanned for expiring secrets and certificates. Status indicator (Expired / Critical / Warning / OK) directly in the report β including expiry date and days remaining.
The report is organized into four tabs: Permissions, Credentials, Enterprise Apps, and Azure & Directory Roles. Every tab is instantly filterable, searchable, and sortable.
All SSO apps (Calendly, Zoom, Salesforce & more) at a glance: SSO mode (SAML/OIDC), last sign-in, active user count, and expiring credentials β all in a dedicated tab.
Complete overview of all service principals with Azure RBAC roles (Owner, Contributor, Reader, etc.) and Entra Directory roles (Global Admin, Attack Simulation Admin, etc.) β including high-privilege flagging.
When an app makes API calls and receives 403 Forbidden responses, the report shows exactly which endpoints are affected. Real data from Log Analytics β no theoretical analysis, no false positives.
Across all four tabs: live search across all entries, sortable table columns, and KPI cards as clickable filters. Narrow down to what matters in seconds.
Every row in every tab is clickable. A detail modal shows app details, risk analysis, API activity, endpoint mapping, credentials, and roles β all one click away, no new window needed.
Every report contains a complete inventory of all App Registrations with risk classification, permission analysis, and concrete recommendations.
App uses exactly the permissions it actually needs. No action required.
App has more permissions than it uses. Clear list of what should be removed.
App calls endpoints that could not be matched in the permissions mapping. Requires manual review.
App had no API activity in the last 30 days. Candidate for deactivation or deletion.
We deploy, maintain, keep the report up to date, and deliver results monthly. You don’t have to worry about a thing.
Drop us a line β we’ll discuss your Azure environment and put together a tailored offer. Free, no commitment.
Or email us directly: info@au2mator.com