ownerlens 0.1.0

package/src/components/azure/ZtaRemediationBadge.tsx

@@ -0,0 +1,70 @@
+import type { ZtaRemediationSummary } from "../../core/azure/ztaReport";
+import { cn } from "../../lib/utils";
+import { Badge, type BadgeProps } from "../../report/components/ui/badge";
+
+type ZtaRemediationBadgeProps = Pick<
+  ZtaRemediationSummary,
+  "ztaMaxRisk" | "ztaRemediationCountAll" | "ztaRemediationFailedCount"
+> & {
+  onClick?: () => void;
+};
+
+export function ZtaRemediationBadge({
+  onClick,
+  ztaMaxRisk,
+  ztaRemediationCountAll,
+  ztaRemediationFailedCount
+}: ZtaRemediationBadgeProps) {
+  const content = `${ztaRemediationFailedCount}/${ztaRemediationCountAll}`;
+  const variant = getZtaRiskVariant(ztaMaxRisk);
+
+  if (onClick) {
+    return (
+      <button
+        aria-label={`Open ZTA remediations ${content}`}
+        className={cn(
+          "inline-flex min-w-12 items-center justify-center rounded-full border px-2.5 py-0.5 text-xs font-semibold tabular-nums transition-colors hover:opacity-80 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring",
+          getZtaRiskClassName(ztaMaxRisk)
+        )}
+        type="button"
+        onClick={onClick}
+      >
+        {content}
+      </button>
+    );
+  }
+
+  return (
+    <Badge className="min-w-12 justify-center tabular-nums" variant={variant}>
+      {content}
+    </Badge>
+  );
+}
+
+function getZtaRiskClassName(ztaMaxRisk: ZtaRemediationSummary["ztaMaxRisk"]): string {
+  switch (ztaMaxRisk) {
+    case "high":
+      return "border-transparent bg-red-100 text-red-800";
+    case "medium":
+      return "border-transparent bg-amber-100 text-amber-800";
+    case "low":
+      return "border-transparent bg-emerald-100 text-emerald-800";
+    case "none":
+    default:
+      return "border-transparent bg-muted text-muted-foreground";
+  }
+}
+
+function getZtaRiskVariant(ztaMaxRisk: ZtaRemediationSummary["ztaMaxRisk"]): BadgeProps["variant"] {
+  switch (ztaMaxRisk) {
+    case "high":
+      return "riskHigh";
+    case "medium":
+      return "riskMedium";
+    case "low":
+      return "riskLow";
+    case "none":
+    default:
+      return "riskNone";
+  }
+}

package/src/components/azure/api.ts

@@ -0,0 +1,216 @@
+import type { ManagedIdentity } from "../../core/azure/entra/managedIdentity";
+import type { ServicePrincipal } from "../../core/azure/entra/servicePrincipal";
+import type { EntraOAuth2PermissionGrant } from "../../core/azure/entra/types";
+import type { AzureRbac } from "../../core/azure/azureRbac";
+import type { ResourceGroupOwnershipRow } from "../../core/azure/resources";
+import type { ZtaReport } from "../../core/azure/ztaReport";
+import type { EntraAppRoleAssignment } from "../../providers/azure/inputTransferObject/entra/EntraAppRoleAssignment";
+import type { ColumnFilters } from "../../report/components/reportTableControls";
+import { appendRuntimeCollectionFilters } from "../../report/runtimeCollectionQuery";
+
+type ServicePrincipalRuntimeResponse = {
+  collectionId: "entra.servicePrincipals";
+  rows: ServicePrincipal[];
+  columns: string[];
+  page: number;
+  pageSize: number;
+  count: number;
+};
+
+type ManagedIdentityRuntimeResponse = {
+  collectionId: "entra.managedIdentities";
+  rows: ManagedIdentity[];
+  columns: string[];
+  page: number;
+  pageSize: number;
+  count: number;
+};
+
+type ResourceGroupRuntimeResponse = {
+  collectionId: "azureResources.resourceGroupOwnership";
+  rows: ResourceGroupOwnershipRow[];
+  columns: string[];
+  page: number;
+  pageSize: number;
+  count: number;
+};
+
+type AzureRbacRuntimeResponse = {
+  collectionId: "azureRbac";
+  rows: AzureRbac[];
+  columns: string[];
+  page: number;
+  pageSize: number;
+  count: number;
+};
+
+export type EntraPrincipalPermissionsResponse = {
+  principalId: string;
+  oauth2PermissionGrants: EntraOAuth2PermissionGrant[];
+  appRoleAssignments: EntraAppRoleAssignment[];
+};
+
+type ZeroTrustAssessmentRuntimeResponse = ZtaReport & {
+  collectionId: "zeroTrustAssessment.report";
+  rows: ZtaReport["Tests"];
+  columns: string[];
+  page: number;
+  pageSize: number;
+  count: number;
+};
+
+const remotePageSize = 20;
+
+export async function readServicePrincipals({
+  filters,
+  page,
+  signal
+}: {
+  filters: ColumnFilters;
+  page: number;
+  signal: AbortSignal;
+}): Promise<ServicePrincipalRuntimeResponse> {
+  const url = new URL("/api/data/entra/servicePrincipals", window.location.origin);
+  url.searchParams.set("page", String(page));
+  url.searchParams.set("count", String(remotePageSize));
+  appendRuntimeCollectionFilters(url, filters);
+
+  const response = await fetch(`${url.pathname}${url.search}`, { signal });
+  if (!response.ok) {
+    throw new Error(`Service principals read failed: ${response.status}`);
+  }
+
+  return (await response.json()) as ServicePrincipalRuntimeResponse;
+}
+
+export async function readManagedIdentities({
+  filters,
+  page,
+  signal
+}: {
+  filters: ColumnFilters;
+  page: number;
+  signal: AbortSignal;
+}): Promise<ManagedIdentityRuntimeResponse> {
+  const url = new URL("/api/data/entra/managedIdentities", window.location.origin);
+  url.searchParams.set("page", String(page));
+  url.searchParams.set("count", String(remotePageSize));
+  appendRuntimeCollectionFilters(url, filters);
+
+  const response = await fetch(`${url.pathname}${url.search}`, { signal });
+  if (!response.ok) {
+    throw new Error(`Managed identities read failed: ${response.status}`);
+  }
+
+  return (await response.json()) as ManagedIdentityRuntimeResponse;
+}
+
+export async function readResourceGroups({
+  filters,
+  page,
+  signal
+}: {
+  filters: ColumnFilters;
+  page: number;
+  signal: AbortSignal;
+}): Promise<ResourceGroupRuntimeResponse> {
+  const url = new URL("/api/data/azureResources/resourceGroupOwnership", window.location.origin);
+  url.searchParams.set("page", String(page));
+  url.searchParams.set("count", String(remotePageSize));
+  appendRuntimeCollectionFilters(url, filters);
+
+  const response = await fetch(`${url.pathname}${url.search}`, { signal });
+  if (!response.ok) {
+    throw new Error(`Resource groups read failed: ${response.status}`);
+  }
+
+  return (await response.json()) as ResourceGroupRuntimeResponse;
+}
+
+export async function readAzureRbac({
+  filters,
+  page,
+  servicePrincipalId,
+  signal
+}: {
+  filters: ColumnFilters;
+  page: number;
+  servicePrincipalId: string;
+  signal: AbortSignal;
+}): Promise<AzureRbacRuntimeResponse> {
+  const url = new URL("/api/data/azureRbac", window.location.origin);
+  url.searchParams.set("servicePrincipalId", servicePrincipalId);
+  url.searchParams.set("page", String(page));
+  url.searchParams.set("count", String(remotePageSize));
+  appendRuntimeCollectionFilters(url, filters);
+
+  const response = await fetch(`${url.pathname}${url.search}`, { signal });
+  if (!response.ok) {
+    throw new Error(`Azure RBAC read failed: ${response.status}`);
+  }
+
+  return (await response.json()) as AzureRbacRuntimeResponse;
+}
+
+export async function readEntraPermissions({
+  principalId,
+  signal
+}: {
+  principalId: string;
+  signal: AbortSignal;
+}): Promise<EntraPrincipalPermissionsResponse> {
+  const url = new URL("/api/data/entra/permissions", window.location.origin);
+  url.searchParams.set("principalId", principalId);
+
+  const response = await fetch(`${url.pathname}${url.search}`, { signal });
+  if (!response.ok) {
+    throw new Error(`Entra permissions read failed: ${response.status}`);
+  }
+
+  return (await response.json()) as EntraPrincipalPermissionsResponse;
+}
+
+export async function readZeroTrustAssessmentReport({
+  filters = {},
+  page,
+  pageSize = remotePageSize,
+  signal
+}: {
+  filters?: ColumnFilters;
+  page?: number;
+  pageSize?: number;
+  signal: AbortSignal;
+}): Promise<ZeroTrustAssessmentRuntimeResponse> {
+  const url = new URL("/api/data/zeroTrustAssessment/report", window.location.origin);
+  if (page !== undefined) {
+    url.searchParams.set("page", String(page));
+  }
+  if (pageSize !== undefined) {
+    url.searchParams.set("count", String(pageSize));
+  }
+  appendRuntimeCollectionFilters(url, filters);
+
+  const response = await fetch(`${url.pathname}${url.search}`, { signal });
+  if (!response.ok) {
+    throw new Error(`Zero Trust Assessment report read failed: ${response.status}`);
+  }
+
+  return (await response.json()) as ZeroTrustAssessmentRuntimeResponse;
+}
+
+export async function updateDisabledOwnerEvidence({
+  key,
+  disabled
+}: {
+  key: string;
+  disabled: boolean;
+}): Promise<void> {
+  const url = new URL("/api/data/azureResources/resourceGroupOwnership/disabledEvidence", window.location.origin);
+  url.searchParams.set("key", key);
+  url.searchParams.set("disabled", String(disabled));
+
+  const response = await fetch(`${url.pathname}${url.search}`);
+  if (!response.ok) {
+    throw new Error(`Owner candidate update failed: ${response.status}`);
+  }
+}

package/src/components/azure/azureReportConfig.ts

@@ -0,0 +1,247 @@
+import type { ReportColumnHelp } from "../../report/reportTypes";
+
+export const azureOwnerColumnHelp = {
+  target: {
+    source: "Computed by app from Azure resource snapshot JSON.",
+    logic: [
+      "Shows Subscription when the row represents a subscription.",
+      "Shows the resource group name when the row represents a resource group."
+    ]
+  },
+  resourceGroup: {
+    source: "Computed by app from Azure resource snapshot JSON.",
+    logic: ["Shows the resource group name from the owner row built from the Azure resource snapshot."]
+  },
+  subscription: {
+    source: "Direct from Azure resource snapshot JSON.",
+    field: "subscriptionName",
+    logic: ["Copied from the subscription or resource group record used to build the owner row."]
+  },
+  subscriptionName: {
+    source: "Direct from Azure resource snapshot JSON.",
+    field: "subscriptionName",
+    logic: ["Copied from the subscription or resource group record used to build the owner row."]
+  },
+  owner: {
+    source: "Computed by app from Azure tags and activity logs.",
+    logic: [
+      "First checks configured owner tags on the resource group or subscription.",
+      "If no tag owner is found, falls back to the most recent write/delete/action caller in Azure activity logs.",
+      "CostCenter tag values are mapped through the configured cost center owner map."
+    ]
+  },
+  confidence: {
+    source: "Computed by app during owner resolution.",
+    logic: [
+      "Tag-derived owners use the configured confidence for that tag.",
+      "Activity-log fallback is low confidence.",
+      "No usable tag or activity caller returns none."
+    ]
+  },
+  ownerConfidence: {
+    source: "Computed by app during owner resolution.",
+    logic: [
+      "Uses the strongest confidence among resource group owner rows targeted by this principal's Azure RBAC scopes.",
+      "No usable owner evidence returns none."
+    ]
+  },
+  source: {
+    source: "Computed by app during owner resolution.",
+    logic: [
+      "tag.<name> means the owner came from that Azure tag.",
+      "activity.lastModifier means the owner came from resource group activity.",
+      "activity.subscriptionLastModifier means the owner came from subscription activity.",
+      "none means no owner evidence was found."
+    ]
+  },
+  evidence: {
+    source: "Computed by app from Azure tag values or activity logs.",
+    logic: [
+      "For tag owners, shows the tag value or CostCenter mapping.",
+      "For activity fallback, shows recent distinct callers and event timestamps.",
+      "Service principal callers are displayed by Entra display name when known."
+    ]
+  }
+} satisfies Record<string, ReportColumnHelp>;
+
+export const azureManagedIdentityColumnHelp = {
+  displayName: {
+    source: "Direct from Entra JSON.",
+    field: "displayName",
+    logic: ["Displayed as-is, with empty values shown as a dash."]
+  },
+  resourceGroup: {
+    source: "Computed by app from Azure resource snapshot JSON.",
+    logic: [
+      "For user-assigned managed identities, uses the managed identity resource group captured in userAssignedManagedIdentities.",
+      "For system-assigned managed identities, uses the resource group of the assigned Azure resource.",
+      "When the same identity appears in multiple groups, shows each distinct resource group."
+    ]
+  },
+  assignedResourceGroups: {
+    source: "Computed by app from Azure resource snapshot JSON.",
+    logic: [
+      "For user-assigned managed identities, uses the managed identity resource group captured in userAssignedManagedIdentities.",
+      "For system-assigned managed identities, uses the resource group of the assigned Azure resource.",
+      "When the same identity appears in multiple groups, shows each distinct resource group."
+    ]
+  },
+  potentialOwners: {
+    source: "Computed by app from the Owner Report resource group rows.",
+    logic: [
+      "Looks up the resource group shown for the managed identity in the resolved owner report.",
+      "Projects each resource group's owner onto the managed identity.",
+      "Shows the distinct resolved owner email addresses separated by commas."
+    ]
+  },
+  ownerConfidence: {
+    source: "Computed by app from the matching resource group owner rows.",
+    logic: [
+      "Uses the strongest confidence among resource group owner rows assigned to this managed identity.",
+      "No usable owner evidence returns none."
+    ]
+  },
+  miAssignment: {
+    source: "Computed by app from Azure resource snapshot JSON.",
+    logic: [
+      "Scans Azure resources for system-assigned and user-assigned managed identities.",
+      "Matches assignments to this Entra service principal by object ID or client/app ID.",
+      "Shows assigned resource name, type, and resource group."
+    ]
+  },
+  permissionRisk: {
+    source: "Computed by app from Azure roleAssignments JSON.",
+    logic: [
+      "Finds Azure RBAC assignments whose principalId matches this Entra object ID, case-insensitively.",
+      "Owner, User Access Administrator, Role Based Access Control Administrator, Privileged Role Administrator, and Key Vault Administrator start as high risk.",
+      "Reader starts as low risk; missing, custom, unclassified, Contributor, Administrator, Data Owner, Data Contributor, and Operator-style roles start as medium risk.",
+      "Management group and subscription scopes are broad: a medium role at a broad scope is raised to high.",
+      "Resource scopes are narrow: a high role at a single resource is lowered to medium.",
+      "Column shows the highest adjusted risk across all matching assignments; no assignments returns none."
+    ]
+  },
+  azureRbac: {
+    source: "Computed by app from Azure roleAssignments JSON.",
+    logic: [
+      "Lists matching Azure RBAC assignments for this principal.",
+      "Adds risk reasons such as privileged role, write-capable role, read-only role, broad scope, or unclassified role.",
+      "Shows no Azure RBAC assignments when no assignment matches."
+    ]
+  },
+  oauthPemrissionsCount: {
+    source: "Computed by app from Entra OAuth2 permission grants and app role assignments JSON.",
+    field: "oauth2PermissionGrants[].scope and appRoleAssignments[].principalId",
+    logic: [
+      "Finds OAuth2 permission grants whose clientId matches this Entra object ID, case-insensitively.",
+      "Counts individual delegated permission scopes split from the grant scope string.",
+      "Finds app role assignments whose principalId matches this Entra object ID and counts each matching application permission.",
+      "Badge format is delegated/application, for example 0/1 means no delegated scopes and one application app role assignment.",
+      "Badge risk is high when any matching OAuth2 permission grant has tenant-wide AllPrincipals consent, medium when any non-tenant-wide delegated or application permission exists, and none when no permissions exist.",
+      "For Directory.Read.All on a managed identity, resolve the managed identity service principal by Object ID, resolve Microsoft Graph by appId 00000003-0000-0000-c000-000000000000, select the Directory.Read.All application app role, then create the service principal app role assignment with ServicePrincipalId and PrincipalId set to the managed identity service principal Id."
+    ]
+  },
+  appRolesPermissionCount: {
+    source: "Computed by app from Entra app role assignments JSON.",
+    field: "appRoleAssignments[].principalId",
+    logic: [
+      "Finds app role assignments whose principalId matches this Entra object ID, case-insensitively.",
+      "Counts each matching app role assignment.",
+      "No matching assignments returns zero."
+    ]
+  },
+  entraPermissionRisk: {
+    source: "Computed by app from Entra OAuth2 permission grants and app role assignments JSON.",
+    field: "oauth2PermissionGrants[].consentType and appRoleAssignments[].principalId",
+    logic: [
+      "Returns high when any matching OAuth2 permission grant has consentType equal to AllPrincipals.",
+      "Returns medium when matching delegated scopes or app role assignments exist without tenant-wide delegated consent.",
+      "Returns none when no matching Entra permissions exist."
+    ]
+  },
+  enabled: {
+    source: "Direct from Entra JSON.",
+    field: "accountEnabled"
+  },
+  accountEnabled: {
+    source: "Direct from Entra JSON.",
+    field: "accountEnabled"
+  },
+  objectId: {
+    source: "Direct from Entra JSON.",
+    field: "id"
+  },
+  appId: {
+    source: "Direct from Entra JSON.",
+    field: "appId"
+  },
+  appDisplayName: {
+    source: "Direct from Entra JSON.",
+    field: "appDisplayName",
+    logic: ["Displayed as-is, with empty values shown as a dash."]
+  },
+  servicePrincipalNames: {
+    source: "Direct from Entra JSON.",
+    field: "servicePrincipalNames",
+    logic: ["Array values are joined with commas; empty arrays are shown as a dash."]
+  },
+  tags: {
+    source: "Direct from Entra JSON.",
+    field: "tags",
+    logic: ["Array values are joined with commas; empty arrays are shown as a dash."]
+  }
+} satisfies Record<string, ReportColumnHelp>;
+
+export const azureServicePrincipalColumnHelp = {
+  ...azureManagedIdentityColumnHelp,
+  ownership: {
+    source: "Computed by app from Entra JSON.",
+    logic: [
+      "ManagedIdentity service principals are treated as Tenant owned.",
+      "Application service principals are Tenant owned when appOwnerOrganizationId equals the snapshot tenantId.",
+      "A different appOwnerOrganizationId is External; a missing value is Unknown."
+    ]
+  },
+  servicePrincipalOwners: {
+    source: "Direct from Entra JSON.",
+    field: "servicePrincipals[].servicePrincipalOwners",
+    logic: [
+      "Exported from the Microsoft Graph Service Principal owners relationship.",
+      "Owner mail is preferred, then userPrincipalName, displayName, and object ID.",
+      "Multiple owners are shown as a comma-separated list."
+    ]
+  },
+  potentialOwners: {
+    source: "Computed by app from Service Principal Azure RBAC assignments and Azure owner report rows.",
+    logic: [
+      "Finds Azure RBAC assignments for this Service Principal.",
+      "Collects resource groups targeted by those RBAC scopes.",
+      "Subscription-scoped RBAC expands to every resource group in the assigned subscription.",
+      "Projects the resolved owner list from those resource group owner rows."
+    ]
+  },
+  ownerConfidence: {
+    source: "Computed by app from the matching resource group owner rows.",
+    logic: [
+      "Uses the strongest confidence among resource group owner rows targeted by this Service Principal's Azure RBAC scopes.",
+      "No usable owner evidence returns none."
+    ]
+  },
+  azureRbac: {
+    source: "Computed by app from Azure roleAssignments JSON.",
+    logic: [
+      "Lists matching Azure RBAC assignments for this principal.",
+      "For managed identity permission summaries, includes risk reasons such as broad scope or privileged role.",
+      "When no permission summary exists, lists direct role assignments by role and formatted scope."
+    ]
+  },
+  type: {
+    source: "Direct from Entra JSON.",
+    field: "servicePrincipalType",
+    logic: ["Displayed as-is, with empty values shown as a dash."]
+  },
+  servicePrincipalType: {
+    source: "Direct from Entra JSON.",
+    field: "servicePrincipalType",
+    logic: ["Displayed as-is, with empty values shown as a dash."]
+  }
+} satisfies Record<string, ReportColumnHelp>;

package/src/core/azure/azureRbac.ts

@@ -0,0 +1,70 @@
+import type { AzureRoleAssignment } from "./resources";
+import type { PermissionRiskLevel } from "../risk/types";
+
+export type AzureRbac = AzureRoleAssignment & {
+  servicePrincipalId: string;
+  accessRisk: PermissionRiskLevel;
+  accessScope: string;
+  accessScopeType: AzureRoleAssignment["scopeType"];
+  accessResourceId: string | null;
+  accessResourceGroup: string | null;
+  accessSubscriptionId: string | null;
+  accessDisplayName: string;
+};
+
+export function mapRoleAssignmentToAzureRbac(
+  assignment: AzureRoleAssignment,
+  permissionRiskLevel: PermissionRiskLevel
+): AzureRbac {
+  return {
+    ...assignment,
+    servicePrincipalId: assignment.principalId,
+    accessRisk: permissionRiskLevel,
+    accessScope: assignment.scope,
+    accessScopeType: assignment.scopeType ?? "Unknown",
+    accessResourceId: getResourceScopeId(assignment),
+    accessResourceGroup: assignment.scopeResourceGroup ?? getScopeResourceGroup(assignment.scope),
+    accessSubscriptionId: assignment.scopeSubscriptionId ?? getScopeSubscriptionId(assignment.scope),
+    accessDisplayName: formatAccessDisplayName(assignment)
+  };
+}
+
+function formatAccessDisplayName(assignment: AzureRoleAssignment): string {
+  const role = assignment.roleDefinitionName ?? "Unknown role";
+  const scopeType = assignment.scopeType ?? "Unknown";
+  const scope = formatScope(assignment);
+
+  return `${role} on ${scopeType.toLowerCase()} ${scope}`;
+}
+
+function formatScope(assignment: AzureRoleAssignment): string {
+  if (assignment.scopeType === "ManagementGroup" && assignment.scopeManagementGroup) {
+    return assignment.scopeManagementGroup;
+  }
+
+  if (assignment.scopeType === "Subscription") {
+    return assignment.subscriptionName || assignment.scopeSubscriptionId || assignment.subscriptionId;
+  }
+
+  if (assignment.scopeType === "ResourceGroup" && assignment.scopeResourceGroup) {
+    return assignment.scopeResourceGroup;
+  }
+
+  if (assignment.scopeType === "Resource" && assignment.scopeResourceName) {
+    return assignment.scopeResourceName;
+  }
+
+  return assignment.scope;
+}
+
+function getResourceScopeId(assignment: AzureRoleAssignment): string | null {
+  return assignment.scopeType === "Resource" ? assignment.scope : null;
+}
+
+function getScopeSubscriptionId(scope: string): string | null {
+  return scope.match(/\/subscriptions\/([^/]+)/i)?.[1] ?? null;
+}
+
+function getScopeResourceGroup(scope: string): string | null {
+  return scope.match(/\/resourceGroups\/([^/]+)/i)?.[1] ?? null;
+}

package/src/core/azure/entra/index.ts

@@ -0,0 +1 @@
+export {};

package/src/core/azure/entra/managedIdentity.ts

@@ -0,0 +1,21 @@
+import type { AzureManagedIdentityResourceAssignment } from "../identityEnrichment";
+import type { OwnerConfidence } from "../../ownership/types";
+import type {
+  AzureIdentityRuntimeEnrichment,
+  EntraPrincipalPermissionSummary,
+  EntraPrincipalRbacSummary
+} from "./servicePrincipal";
+import type { ZtaRemediationSummary } from "../ztaReport";
+import type { EntraServicePrincipal } from "./types";
+
+export type ManagedIdentity = EntraServicePrincipal & AzureIdentityRuntimeEnrichment & {
+  servicePrincipalType: "ManagedIdentity";
+  managedIdentityAssignments: AzureManagedIdentityResourceAssignment[];
+  assignedResourceGroups: string[];
+  potentialOwners?: string[];
+  ownerConfidence?: OwnerConfidence;
+} & EntraPrincipalPermissionSummary & EntraPrincipalRbacSummary & ZtaRemediationSummary;
+
+export function isManagedIdentity(servicePrincipal: EntraServicePrincipal): servicePrincipal is ManagedIdentity {
+  return servicePrincipal.servicePrincipalType === "ManagedIdentity";
+}

package/src/core/azure/entra/servicePrincipal.ts

@@ -0,0 +1,34 @@
+import type { ManagedIdentityPermissionRiskLevel } from "../identityEnrichment";
+import type { AzureRoleAssignment } from "../resources";
+import type { ZtaRemediationSummary } from "../ztaReport";
+import type { OwnerConfidence } from "../../ownership/types";
+import type { PermissionRiskLevel } from "../../risk/types";
+import type { EntraServicePrincipal, EntraServicePrincipalType } from "./types";
+
+export type AzureIdentityRuntimeEnrichment = {
+  permissionRisk: ManagedIdentityPermissionRiskLevel;
+  azureRbac: string;
+  roleAssignments: AzureRoleAssignment[];
+};
+
+export type EntraPrincipalPermissionSummary = {
+  oauthPemrissionsCount: number;
+  appRolesPermissionCount: number;
+  entraPermissionRisk: PermissionRiskLevel;
+};
+
+export type EntraPrincipalRbacSummary = {
+  rbacRoleAssignmentCount: number;
+  rbacRoleLevel: PermissionRiskLevel;
+  rbacSubscriptionCount: number;
+};
+
+export type ServicePrincipal = EntraServicePrincipal & AzureIdentityRuntimeEnrichment & {
+  servicePrincipalType: Exclude<EntraServicePrincipalType, "ManagedIdentity">;
+  potentialOwners?: string[];
+  ownerConfidence?: OwnerConfidence;
+} & EntraPrincipalPermissionSummary & EntraPrincipalRbacSummary & ZtaRemediationSummary;
+
+export function isServicePrincipal(servicePrincipal: EntraServicePrincipal): servicePrincipal is ServicePrincipal {
+  return servicePrincipal.servicePrincipalType !== "ManagedIdentity";
+}