Service principals are where Azure permission drift goes to live. They get created for an integration, given permissions for that integration, and then sit there forever picking up extra grants as scope changes. If a service principal token leaks, you inherit whatever permissions it accumulated.
Blue Lantern's Azure module audits service principals against a default list of high-risk roles in one command.
Prerequisites
The Blue Lantern on-prem toolkit installed.
Credits allocated (or auto-refresh enabled).
A sealed secrets file with
TENANT_ID,CLIENT_ID, andCLIENT_SECRETfrom an Azure service principal that has the following Microsoft Graph permissions:Application.Read.AllGroup.Read.AllDirectory.Read.AllUser.Read.AllPolicy.Read.AllReports.Read.AllUser.Read
These cover every Azure use case the toolkit supports today, not just this one.
Running the check
bluelantern run azure-iam find-risky-service-principals
To see what the tool checks for first:
bluelantern run azure-iam find-risky-service-principals --list_permissions true
If you want to audit a specific permission instead of the full list, use find-service-principals-with-permission.
What you get back
For each flagged service principal:
- App name and app ID.
- The role triggering the flag.
- A risk category (e.g.
data integrity). - A reason explaining why that role is flagged.
That's enough to triage. Sort by risk category, walk the list with the team that owns each app, decide whether the permission is still earning its keep.