Microsoft Graph permissions for Service Principals and Managed Identities are one of the growing risk areas in Azure/Entra environments, yet most organizations have no historical record of what these permissions looked like yesterday, last week, or six months ago. In this session, Morten Mynster introduces LeastPrivilegedMSGraph, a PowerShell module designed to audit and analyse Graph permissions in a transparent and repeatable way.

We will dive into why Graph application permissions - both app roles and delegated scopes - so often become over-provisioned, and how the module determines least-privilege permissions on the application scope. You’ll see how to generate clear, automatable reports of every service principal or managed identity’s effective Graph permissions, and how to store historical snapshots that can answer questions such as “What did this service principal have access to last month?”

The session continues by demonstrating how GitHub Actions can be used to run these audits continuously, producing daily or weekly scans with no manual effort. We’ll also explore how GitHub’s built-in diffing capabilities make it easy to detect permission drift over time and highlight changes that matter.

Attendees will leave with a complete, practical pattern they can implement immediately: a PowerShell-based auditing workflow, automated reporting pipelines, and maintaining continuous historical insight into their Graph permission landscape.