M365Corner
M365 PowerShell

Generate All Entra Service Principals Report Using PowerShell

Service principals are at the core of Microsoft Entra ID, representing applications, services, and managed identities that interact with your tenant.

Having a complete inventory of service principals is essential for:

  • Security audits
  • Application governance
  • Access reviews
  • Compliance reporting

Without proper visibility, service principals can accumulate over time, leading to unmanaged identities and potential risks.

👉 This script helps administrators generate a full report of all Entra service principals, providing a centralized view for analysis and governance.

🚀 Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.

The Script

                            
# Connect to Microsoft Graph
Connect-MgGraph -Scopes Application.Read.All

Write-Host "Fetching ALL Service Principals..." -ForegroundColor Cyan

# Get all service principals
$ServicePrincipals = Get-MgServicePrincipal -All -Property Id,DisplayName,AppId,CreatedDateTime,AccountEnabled,Tags,PublisherName

$Results = @()

foreach ($SP in $ServicePrincipals) {

    # Console output (basic)
    $Status = if ($SP.AccountEnabled) { "Enabled" } else { "Disabled" }

    Write-Host "$($SP.DisplayName) | $($SP.AppId) | $Status" -ForegroundColor Yellow

    # Export object (detailed)
    $Results += [PSCustomObject]@{
        DisplayName        = $SP.DisplayName
        ServicePrincipalId = $SP.Id
        AppId              = $SP.AppId
        AccountEnabled     = $SP.AccountEnabled
        Tags               = ($SP.Tags -join ", ")
    }
}

# Export results
$ExportPath = "D:\All_ServicePrincipals_Report.csv"

$Results | Export-Csv $ExportPath -NoTypeInformation

Write-Host "Full Service Principal inventory exported to $ExportPath" -ForegroundColor Cyan


How the Script Works

Step Description
Connect to Graph Authenticates using Application.Read.All permission
Fetch Service Principals Retrieves all service principals using Get-MgServicePrincipal -All
Loop Through Each SP Iterates through each service principal
Determine Status Checks if the service principal is enabled or disabled
Console Output Displays basic information for quick visibility
Build Report Stores key properties in a structured object
Export Results Exports full inventory to CSV

Further Enhancements

Enhancement Description
Include Owner Details Add owner information using Get-MgServicePrincipalOwner
Add Permissions Include API permissions assigned to each service principal
Include Sign-In Activity Identify active vs inactive service principals
Add Risk Classification Tag high-risk or sensitive service principals
Filter by Publisher Group or filter based on PublisherName

Frequently Asked Questions

Question Answer
What is a service principal? An identity representing an application or service in Entra ID
Why generate a full report? To maintain visibility and governance over all identities
Does this include managed identities? Yes, if they exist as service principals
Are disabled service principals included? Yes, the script captures both enabled and disabled
Can this script handle large tenants? Yes, but execution time depends on tenant size

Admin Usecases

Use Case Description
Inventory Management Maintain a complete list of service principals
Security Audit Identify unknown or unmanaged identities
Compliance Reporting Provide reports for audits and governance
Access Review Analyze service principals with access permissions
Cleanup Activity Identify unused or redundant service principals

Possible Errors & Solutions

Error Cause Solution
Insufficient privileges Missing Graph permission Use Application.Read.All
Cmdlet not recognized Graph module not installed Install using Install-Module Microsoft.Graph
Access token expired Session timeout Reconnect using Connect-MgGraph
Slow execution Large tenant Use filters or pagination
Null Tags property Some SPs may not have tags Handle null values if needed

Conclusion

A complete inventory of service principals is essential for maintaining strong governance and security in Microsoft Entra ID. Without visibility, organizations risk accumulating unmanaged identities that could lead to security gaps.

This Microsoft Graph PowerShell script provides an efficient way to generate a full report of all service principals, giving administrators the insights needed to:

  • Monitor identity usage
  • Strengthen governance
  • Improve security posture

By incorporating this script into regular audits, organizations can ensure better control, visibility, and compliance across their Entra environment.

Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                            

                            

                            

                            

                            

                        

                    

                


                
            

        

    


    
    
  
    

        
© Created and Maintained by LEARNIT WELL SOLUTIONS. All Rights Reserved.