As you know with Azure AD, you can create and manage Service Principals, delegate administration tasks using administration roles… but this is quite difficult to easily identify the number of Service Principal you have, Service Principals which has or will expire…
To help you with that, the Azure AD teams has developed a workbook which relies on the Azure Optimization Engine (AOE), a free monitoring and governance tool.
This requires an Azure SQL Database which will be created during the deployment.
In addition of this Identities and Roles dashboard, you will get a Resources Inventory and Costs Growing dashboards too as part of the AOE deployment.
If you want to implement this Identities and Roles workbook, connect to your Azure portal (https://portal.azure.com/) to use the Cloud Shell functionality.
NOTE you need to connect using an administrator account which is authorized to grant role to others in Azure AD (such as Global Administrator or Privileged Role Administrator).
You will also need to have an Azure Log Analytics workspace.
Once you have launched the Cloud Shell, execute the below commands to clone the Github of the solution, deploy specific modules and deploy the workbook
git clone https://github.com/helderpinto/AzureOptimizationEngine.git azureoptimizationengine
When running the last step (the PowerShell script), you will have to provide few information to select the Azure subscription for the deployment, deployment name (this is will use this for naming all resources required for the deployment), define the Log Analytics workspace to use, set the SQL administrator account, select the target location for the deployment.
All required resources are deployed within a new resource group named after the deployment name you define.
Deployment will take few minutes; you can check it from the Deployments blade of the subscription you have selected while running the script.
Once all is completed, you will need to wait up to few hours for the automation to complete the data gathering. Best is to wait 24 hours.
Then you can access the Identities and Roles dashboard from the Workbooks blade of your Log Analytics.
If you run again the script, you will be able to rerun/upgrade the previous deployment.
Due to Azure Automation restriction (https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution#runbook-execution-environment), if you have more than 50k users, groups or applications in your Azure AD you will need to implement Azure Automation Hybrid Worker (https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker)