Categorizing Service Principals in Entra

For M365Permissions I wanted to categorize service principals in an actually useful way.

This is what I came up with so far

    function get-servicePrincipalType{
        Param(
            [Parameter(Mandatory=$true)][object]$spn
        )

        #managed identities are simple :)
        if($spn.servicePrincipalType -eq "ManagedIdentity"){
            return "ManagedIdentity"
        }        

        #other SPN's can be hosted by us, by Microsoft or by a third party 
        #Although 9188040d-6c67-4c5b-b112-36a304b66dad is also officially Msft, it contains consumer apps not built or vetted by Microsoft thus we treat it as third party
        if($spn.appOwnerOrganizationId -in ("f8cdef31-a31e-4b4a-93e4-5f571e91255a","72f988bf-86f1-41af-91ab-2d7cd011db47","7579c9b7-9fa5-4860-b7ac-742d42053c54")){
            return "MicrosoftApplication"
        }elseif($spn.appOwnerOrganizationId -eq &lt;YOURTENANTID>){
            #this is either a homebrew app or an AI agentic app
            if($spn.tags -and ($spn.tags -contains "AgenticApp" -or $spn.tags -contains "AIAgentBuilder")){
                return "AiAgent"
            }else{
                return "InHouseApplication"
            }
        }else{
            return "ThirdPartyApplication"
        }              
    }

Liebensraum

Categorizing Service Principals in Entra

Microsoft 365, Azure, Automation & Code